110th  congress    w  f    T%         >i  >|  O 

2B  SESSION    H.  K.  544i 

To  provide  individuals  with  access  to  health  information  of  which  they  are 
a  subject,  to  ensure  personal  privacy,  security,  and  confidentiality  with 
respect  to  health  related  information  in  promoting  the  development  of 
a  nationwide  interoperable  health  information  infrastructure,  to  impose 
criminal  and  civil  penalties  for  unauthorized  use  of  personal  health  infor- 
mation, to  provide  for  the  strong  enforcement  of  these  rights,  to  protect 
States'  rights,  and  for  other  purposes. 


IN  THE  HOUSE  OF  REPRESENTATIVES 

Februaey  14,  2008 
Mr.  Market  (for  himself,  Mr.  EjVIANUEL,  and  Mrs.  Capps)  introduced  the  fol- 
lowing bill;  which  was  referred  to  the  Committee  on  Energy  and  Com- 
merce, and  in  addition  to  the  Committees  on  Ways  and  Means,  Education 
and  Labor,  and  Financial  Services,  for  a  period  to  be  subsequently  deter- 
mined by  the  Speaker,  in  each  case  for  consideration  of  such  pro^dsions 
as  fall  within  the  jurisdiction  of  the  committee  concerned 


A  BILL 

To  provide  indmduals  with  access  to  health  information  of 
which  they  are  a  subject,  to  ensure  personal  privacy, 
security,  and  confidentiality  with  respect  to  health  related 
information  in  promoting  the  development  of  a  nation- 
wide interoperable  health  information  infrastructure,  to 
impose  criminal  and  civil  penalties  for  unauthorized  use 
of  personal  health  information,  to  provide  for  the  strong 
enforcement  of  these  rights,  to  protect  States'  rights, 
and  for  other  purposes. 


■  2- 

1  Be  it  enacted  hy  the  Senate  afid  House  of  Representa- 

2  tives  of  the  United  States  of  America  in  Cofigress  assemhled, 

3  SECTION  1.  SHORT  TITLE. 

4  (a)  Short  Title. — This  Act  may  be  cited  as  the 

5  "Technologies  for  Restoring  Users'  Security  and  Trust  in 

6  Health  Information  Act  of  2008"  or  as  the  "TRUST  in 

7  Health  Information  Act  of  2008".  ' 

8  (b)  Table  of  Contents. — The  table  of  contents  of 

9  this  Act  is  as  follows: 

Sec.  1.  Short  title.  '  ^  '  ■ 

Sec.  2.  Findings;  purposes. 

TITLE  I— HEALTH  INFORMATION  PRIVACY  AND  SECURITY 

Sec.  100.  Summary  of  privacy  rights  and  security  obhgations. 

Subtitle  A — ^Access  to  and  Accuracy  of  Personal  Health  Information 

See.  101.  Inspection  and  copying  of  personal  health  information. 
Sec.  102.  Modifications  to  personal  health  information. 

Subtitle  B — Security  of  Personal  Health  Information 

Sec.  111.  Notice  of  privacy  practices. 

Sec.  112.  Estabhshment  of  safeguards. 

Sec.  113.  Notification  in  the  case  of  breach. 

Sec.  114.  Transparency. 

Sec.  115.  Risk  management.  ,  . 

Sec.  116.  Accounting  for  disclosures  and  use. 

Subtitle  C — Use  and  Disclosure  of  Personal  Health  Information 

Chapter  1 — General  Restrictions 

Sec.  121.  General  rales  regarding  use  and  disclosure. 

Sec.  122.  Informed  consent  for  disclosure  of  personal  health  information  for 

treatment  and  pa.yment. 
Sec.  123.  Informed  consent  and  authorization  for  disclosure  of  personal  health 

information  other  than  for  treatment  or  payment. 

Chapter  2 — Exceptions 

Sec.  131.  Disclosure  for  law  enforcement,  national  security,  and  intelligence 
purposes. 

Sec.  132.  Disclosure  for  pubhc  health  pui-poses. 

Sec.  133.  Reporting  of  abuse  and  neglect  to  protection  and  advocacy  agencies. 
Sec.  134.  Disclosure  to  next  of  kin  and  directory  information. 
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•  Chapter  3 — Special  Circumstances 

Sec.  141.  Emergency  circumstances. 

See.  142.  Health  research. 

Sec.  143.  Health  oversight  functions. 

Sec.  144.  Individual  representatives.  .  . 

Subtitle  D— Enforcement 

Sec.  151.  In  general. 

Sec.  152.  Enforcement  by  State  attorneys  general. 

Subtitle  E — Miscellaneous 

Sec.  161.  Office  of  Health  Information  Privacy. 
Sec.  162.  Protection  for  whistleblowers. 

Sec.  163.  Demonstration  grant  for  indi\'iduals  with  hmited  English  language 

proficiency  or  limited  health  literacy. 
Sec.  164.  Relationship  to  other  laws. 
Sec.  165.  Effective  date. 

Subtitle  F — General  Definitions 
Sec.  171.  General  definitions. 

TITLE  II— PROMOTION  OP  HEALTH  IXFOR^UTIOX  TECHNOLOGY 
Subtitle  A — Impro\ing  the  Interoperability  of  Health  Information  Technology'' 

See.  201.  Office  of  the  National  Coordinator  of  Health  Information  Technology. 

Sec.  202.  Partnership  for  Health  Care  Improvement. 

Sec.  203.  American  Health  Information  Community  pohcies. 

Sec.  204.  Research  access  to  health  care  data  and  reporting  on  performance. 

Subtitle  B — Facihtating  the  Widespread  Adoption  of  Interoperable  Health 
Information  Technology 

Sec.  211.  Facilitating  the  widespread  adoption  of  interoperable  health  informa- 
tion technology. 

See.  212.  Demonstration  program  to  integrate  information  technologv  into  clin- 
ical education. 

Sec.  213.  Qualified  health  information  technolog\^  system  defined. 

Subtitle  C — Improwg  the  Quality  of  Health  Care 

Sec.  221.  Fostering  development  and  use  of  health  care  quahty  measures. 
Sec.  222.  Adoption  and  use  of  quality^  measures;  reporting. 

Subtitle  D — Miscellaneous  Prorisions 

Sec.  231.  Health  Information  Technology  Resource  Center. 

Sec.  232.  Facilitating  the  provision  of  telehealth  services  across  State  hnes. 

Subtitle  E — Definitions 

Sec.  241.  Definitions. 

TITLE  III— ADDITIONAL  PROVISIONS 
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Sec.  301.  Federal  purchasing  and  data  collection  by  CMS  and  other  Federal 
agencies. 

Sec.  302.  Ensuring  health  care  providers  participating  in  the  medicare  program 
may  maintain  health  information  in  electronic  form. 

1    SEC.  2.  FINDINGS;  PURPOSES.  f 


2  (a)  Findings. — Congress  finds  the  folloAving: 

3  (1)  Americans  are  deeply  concerned  about  the 

4  privacy  and  security  of  their  personal  information, 

5  including"  their  health  records.  •  ' 

6  (2)  In  October  2007,  a  Harris  Interactive  Poll 

7  commissioned  by  the  Institute  of  Medicine  found 

8  that  58  percent  of  respondents  indicated  they  do  not 

9  believe  Federal  and  State  laws  and  organizational 

10  practices   offer   sufficient   protection   of  personal 

11  health  information. 

12  (3)  In  February  2007,  the  Markle  Foundation 

13  reported  that  80  percent  of  individuals  suiveyed 

14  were  very  concerned  about  identity  theft  or  fraud 

15  and  77  percent  were  very  concerned  that  their  med- 

16  ical  information  would  be  used  for  marketing  pur- 

17  poses. 

18  (4)  Concerns  al^out  the  privacy  and  security  of 

19  personal  health  information  are  fueled  by  the  esca- 

20  lating  number  of  breaches  of  personal  information 

21  that  have  occurred  in  recent  years  and  numerous  re- 

22  ports  of  the  inadequacy  of  the  security  of  electronic 

23  networks. 
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1  (5)  Aee.jrding  x>j  the  Privacy  Ridits  Clearing-- 

2  house,  more  than  216.000.000  data  records  belong- 

3  ing  TO  r.S.  residents  have  been  exjiosed  to  potential 

4  misuse  as  a  result  of  security-  breaches  smce  Janii- 

5  aiy  2005.  _      .  ^ 

6  (6)  A  nationwide  interoperable  health  int'orrna- 

7  ticin  infi'astractiu'e  cari  strengthen  privacy,  sectuir^',, 

8  and  ecmtideritiahty  safeguards,  protecting  patients' 

9  personal  health  information  wMe  also  unproAing 

10  health  care  qtialir^-.  safety-,  arid  affordabihtA^. 

11  -  (7)  In  order  for  mch^idtials.  health  care  pro- 

12  aiders,  and  health  care  payers  to  achieve  the  lienefits 

13  associated  with  such  infr-astracttire.  strong  data  pri- 

14  vacT.  sectuitA-.  and  coinndentialir^'  standards  must  be 

15  developed,  adopted,  and  incjip-jrated  mto  the  health 

16  information  teclmolog}"  uifi-astmcrLire. 

17  ^  (8)  ^Miile  Exectitive  Order  13335  regarchng 

18  mteroperablf  health  information  technology'  issued 

19  on  April  27.  2004.  called  for  widespread  adoption  of 

20  mteruperable  electronic  health  records  within  10 

21  years,  estabhshed  the  position  of  National  Coorch- 

22  nator  of  Health  Informatiijn  Teclmology.  and  stipii- 

23  lated  that  the  plan  fjr  the  natiomvide  implement a- 

24  tion  of  mteroperable  health  information  teclmology' 

25  should  adckess  privacy  and  sectuity  issues,  adecpate 
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1  progi-ess  has  not  been  made  to  ensure  that  a  strong 

2  data  privacy,  security,  and  confidentiahty  approach 

3  will  guide  the  development  of  this  nationwide  infra- 

4  structure  beginning  in  its  initial  stages  and  con- 

5  tinning  throughout  its  formulation.    '  ■ 

6  (9)  According  to  a  Febmary  1,  2007,  report  of 

7  the  Government  Accountability  Office  (GAO),  the 

8  Department  of  Health  and  Human  Services  and  its 

9  Office  of  the  National  Coordinator  of  Health  Infor- 

10  mation  Technology  have  not  yet  defined  an  overall 

11  approach  for  integi^ating  privacy-related  initiatives 

12  the  Department  has  undertaken  in  the  area  of 

13  health  information  technolog}^  or  addressing  key  pri- 

14  vacy  principles,  nor  has  the  Department  defined 

15  milestones  for  integrating  the  results  of  these  activi- 

16  ties  while  it  has  moved  foi-ward  with  development  of 

17  standards  for  a  national  electronic  health  mforma- 

18  tion  system. 

19  ■  (10)  All  Americans  have  a  right  to  privacy,  se- 

20  curity,  and  confidentiality  with  respect  to  the  elec- 

21  tronic  disclosure  of  their  personal  health  informa- 

22  tion,  and  the  nationmde  implementation  of  inter- 

23  operable  health  information  technology  should  abide 

24  by,  and  be  consistent  with,  tliis  right. 
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1  AVithoiit  adequate  privacy,  seciirity.  and 

2  coiifideriTialiTy  standards,  individuals  v\t11  be  more 

3  likely  to  avoid       delay  medical  treatment  or  vith- 

4  hold  peninent  information  fi'om  their  health  pro- 

5  Aiders,  potentiahy  resiiltmg  hi  lost  prodiicti^ir^-.  in- 

6  creased  morbichty  rates,  and  hicreased  costs  to  the 

7  health  care  s^'stem. 

8  (12)  As  stipulated  by  the  Secretaiy  of  Health 

9  and  Himian  Sendees  in  the  Final  Rule  for  Stand- 

10  ards  for  PriA-acy  of  LichAidiially  Lientifiable  Health 

11  Infomiation  'do  C.F.R.  parts  160  and  164).  the 

12  standards  contamed  in  the  Final  Rule  are  intended 

13  to  estabhsli  a  floor  of  privacy  protection  and  are  not 

14  designed  to  senT  as  ""best  practices""  for  the  rise  or 

15  chsclosiire  of  personal  health  information. 

16  (13i  To  gT-iide  the  development,  miplementation. 

17  and  operation  of  an  interoperalde  natiLim\ide  health 

18  information    teclmology    hifi-astmctiire.  Congress 

19  should  establish  specific  nhiurniim  standards  for  the 

20  use  and  disclosure  of  inchAi duals'  personal  health  in- 

21  formation  and  dkect  the  Depanment  of  Health  and 

22  Human  Sendees  to  promulgate  regulations  relating 

23  to  personal  health  iiiformatii:)n  that  are  consistent 

24  \vixh  individuals"  right  to  privacy,  security-,  and  con- 

25  fidentiahty  Avith  respect  to  the  electronic  use  or  dis- 
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1  closure  of  their  personal  health  information,  the 

2  public  interest,  and  the  purposes  of  this  Act. 

3  (b)  Purpose. — The  purposes  of  this  Act  are  as  fol- 

4  lows: 

5  (1)  To  recognize  that  individuals  have  a  right 

6  to  privacy,  confidentiality,  and  security  with  respect 

7  to  health  information,  including  genetic  information, 

8  and  that  those  fiindamental  rights  are  rooted  in  the 

9  Nation's  history  and  medical  ethics  and  must  be 

10  protected. 

11  (2)  To  ensure  that  individuals  are  able  to  exer- 

12  cise  their  right  to  health  information  privacy  by  re- 

13  quiring  their  consent  for  the  use  and  disclosure  of 

14  their  identifiable  health  information  unless  othei'wise 

15  required  by  law.  ■  . 

16  (3)  To  encourage  the  development  of  a  nation- 

17  wide  interoperable  health  information  technology  in- 

18  frastructure  that  protects  individuals'  privacy,  con- 

19  fidentiality,  and  security  with  respect  to  their  health 

20  information  while  also  improving  health  care  quality, 

21  promoting  data  accuracy,  reducing  medical  errors, 

22  and  increasing  the  efficiency  of  care. 

23  (4)  To  create  incentives  to  turn  personal  health 

24  information  into  de-identified  health  information  (as 

25  defined  in  section  171(5)),  where  appropriate. 
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1  ( 5  I  To  designate  an  Office  of  Health  Informa- 

2  tion  Privacy  A\ithin  the  Department  of  Health  and 

3  Himian  Senices  to  protect  individuals"  right  of  pri- 

4  vacy. 

5  1 6 )  To  provide  individtials  v\ith — 

6  (A)  access  to  health  information  of  which 

7  they  are  the  subject: 

8  (B)  the  oppoitimitA-  to  challenge  the  accti- 

9  racy  and  completeness  of  such  information  by 

10  being  able  to  file  mochfications  to  or  request  the 

1 1  deletion  of  such  mformation.-  and 

12  (Ci  the  right  to  limit  the  use  and  chsclo- 

13  sure  of  personal  health  information. 

14  (7)  To  establish  strong  and  eli:'ective  niecha- 

15  nisrns  to  protect  against  the  unauthorized  and  inap- 

16  propriate  tise  of  personal  health  information  and  en- 

17  sure  that  these  mechanisms  safeguard  this  infornia- 

18  tion  wherever  it  may  reside. 

19  (Si  To  provide  notice  to  individuals  of  breaches 

20  of  their  personal  health  information. 

21  (9i  To  invT)ke  the  sweep  of  congressional  pow-- 

22  ers.  including  the  pcw-er  to  enforce  the  14th  Amend- 

23  ment  to  the  Constitution,  to  regulate  conunerce.  and 

24  to  abrogate  the  innmmity  of  the  States  under  the 

25  11th  Ainenchnent  to  the  Constitution,  m  order  to  ad- 
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1  dress  violations  of  the  rights  of  individuals  to  pri- 

2  vaey,  to  provide  individuals  with  access  to  their 

3  health  information,  and  to  prevent  the  unauthorized 

4  use  of  personal  health  information  that  is  genetic  in- 

5  formation. 

6  (10)  To  establish  strong  and  effective  remedies 

7  for  violations  of  this  Act. 

8  (11)  To  protect  the  rights  of  States. 

9  TITLE  I— HEALTH  INFORMATION 

10  PRIVACY  AND  SECURITY 

11  SEC.  100.  SUMMARY  OF  PRIVACY  RIGHTS  AND  SECURITY 

12  OBLIGATIONS. 

13  (a)  Privacy  Rights. — In  order  to  provide  individ- 


14  uals  who  are  the  subject  of  personal  health  information 

15  with  privacy,  security,  and  control  in  the  use  and  disclo- 

16  sure  of  such  information,  such  individuals  are  provided  the 

17  following  rights  under  this  title: 


18  (1)  The  right  to  not  have  their  personal  health 

19  information  disclosed  without  their  informed  consent 

20  unless  otherwise  required  by  law,  pursuant  to  sub- 

21  title  C. 

22  (2)  The  right  to  inspect  and  copy  their  personal 

23  health  information,  pursuant  to  section  101. 
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1  (3)  The  right  to  correct,  supplement,  or  remove 

2  their  personal  information  held  by  a  person,  pursu- 

3  ant  to  section  102.  ^ 

4  (4)  The  right  to  prohibit  access  by  certain  cat- 

5  egories  of  persons  to  particularly  sensitive  personal 

6  health  information  about  individuals,  such  as  infor- 

7  mation  relating  to  mental  health,  domestic  violence, 

8  sexually  transmitted  diseases,  and  infection  with  the 

9  human  immunodeficiency  virus  (HIV),  pursuant  to 

10  section  122.   -   '    :  -  . 

11  (5)  The  right  to  receive  notification  of  actual  or 

12  suspected  security  breaches  of  their  personal  health 

13  information,  pursuant  to  section  113. 

14  (6)  The  right  to  receive  an  accounting  of  all 

15  electronic  disclosures  of  their  personal  health  infor- 

16  mation  upon  request,  pursuant  to  section  116. 

17  (b)  Security  Obligations. — person  that  dis- 

18  closes,  uses,  or  receives  an  individual's  personal  health  in- 

19  formation  has  obligations  under  this  title,  including  the 

20  following: 

21  (1)  The  obhgation  to  expressly  recognize  the 

22  right  to  privacy  and  security  of  such  individual  with 

23  respect  to  the  use  and  disclosure  of  such  information 

24  under  subtitle  B.  .. 
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1  (2)  The  obligation  to  permit  individuals  who  are 

2  the  subject  of  such  personal  health  information  to 

3  inspect  and  copy  the  personal  health  information 

4  concerning  the  individual  pursuant  to  section  101. 

5  (3)  The  obligation  to  pro\ade  written  notifica- 

6  tion  to  an  indi\ddual  of  the  person's  privacy  prac- 

7  tices  pursuant  to  section  111. 

8  (4)  The  obligation  to  promptly  notify  individ- 

9  uals  of  an  actual  or  suspected  security  breach  of 

10  their  personal  health  information  pursuant  to  section 

11  113.  . 

12  (5)  The  obligation  to  establish  and  maintain  ap- 

13  propriate   administrative,   organizational,  technical 

14  and  physical  safeguards  to  ensure  the  privacy,  con- 

15  fidentiality,  security,  accuracy,  and  integrity  of  per- 

16  sonal  health  information  that  is  accessed,  main- 

17  tained,  modified,  recorded,  stored,  destroyed,  or  oth- 

18  erv^dse  used  or  disclosed  by  such  person  pursuant  to 

19  section  112.  ^  r 

20  (6)  The  obligation  to  make  publicly  available  on 

21  the  Internet  a  list,  including  contact  information,  of 

22  each  data  partner  with  which  the  j^erson  has  entered 

23  into  a  contract  or  relationship  to  provide  sei-vices  in- 

24  volving  personal  health  information  pursuant  to  sec- 

25  tion  114. 
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1  (7)  The  obligation  to  obtain  an  indi^ddual's  in- 

2  formed  consent  or  authorization  before  using  or  dis- 

3  closing  an  indi\iduars  personal  health  information 

4  pursuant  to  chapter  1  of  subtitle  C. 

5  (8)  The  obligation  to  estabhsh  and  update  risk 

6  management      processes      to      protect  against 

7  \Tilnerabilities  to  the  pri^^acy  and  security^  of  indi\dd- 

8  ual's  personal  health  information  pursuant  to  sec- 

9  tions  112  and  114.  - 

10  (9)  The  obligation  to  establish  and  maintain  a 

11  record  of  each  disclosure  of  an  individual's  personal 

12  health  information  pursuant  to  section  116. 

13  (10)  The  obligation  to  provide  individuals  with 

14  concise,  comprehensive,  and  explicit  information  if 

15  seeking  to  use  or  disclose  their  personal  health  infor- 

16  mation  for  marketing  purposes  and  receive  a  sepa- 

17  rate  authorization  from  an  individual  before  using  or 

18  disclosing  the  information  for  that  purpose  pursuant 

19  to  section  123. 

20  Subtitle  A — ^Access  to  and  Accuracy 

21  of  Personal  Health  Information 

22  SEC.    101.    INSPECTION    AND    COPYING    OF  PERSONAL 

23  HEALTH  INFORMATION. 

24  (a)  Right  OF  iNDmDUAL. — 
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1  (1)  In  general. — health  information  person 

2  (as  defined  in  section  171(13))  shall  permit  an  indi- 

3  vidua!  who  is  the  subject  of  personal  health  informa- 

4  tion  (as  defined  in  section  171(23))  that  the  person 

5  holds,  uses,  or  discloses,  or  the  individual's  designee, 

6  to  inspect  and  copy  the  personal  health  information 

7  concerning  the  indi\ddual. 

8  (2)  Procedures  and  fees. — health  infor- 

9  mation  person  may  establish  appropriate  procedures 

10  to  be  followed  for  inspection  and  copying  under 

11  paragraph  (1)  and  may  require  an  individual  to  pay 

12  reasonable  fees  associated  with  such  inspection  and 

13  copying  in  an  amount  that  is  not  in  excess  of  the  ac- 

14  tual  costs  of  providing  such  copying.  Such  fees  may 

15  not  be  assessed  where  such  an  assessment  would 

16  have  the  effect  of  inliibiting  an  individual  from  gain- 

17  ing  access  to  the  information  described  in  paragraph 

18  il). 

19  (b)  Deadline. — health  information  person  shall 

20  comply  with  a  request  for  inspection  or  cop3dng  of  personal 

21  health  information  under  this  section  not  later  than — 

22  (1)  15  business  days  after  the  date  on  wliich 

23  the  person  receives  the  request,  if  such  request  re- 

24  quires  the  inspection,  copying,  or  sending  of  printed 

25  materials;  or 
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1  (2)  5  business  days  after  the  date  on  which  the 

2  pei'son  receives  the  request,  or  sooner  if  the  Sec- 

3  retaiy  determines  appropriate,  if  sncli  recinest  re- 

4  quires  only  tlie  inspection,  copying;  or  sending-  of 

5  electronic  or  other  digital  materials. 

6  (ci  Rules  Gri\T:RviXG  ACtEXTs. — person  that  is 

7  the  agent,  officer,  or  employee  of  a  heahh  information  per- 

8  son  shall  provide  for  the  uispection  and  copying  of  per- 

9  sonal  health  information  if^ —  - 

10  ( 1 1  the  personal  health  information  is  retained 

11  by  the  person:  and      ■  ^  ' 

12  (2 1  the  person  has  been  asked  by  the  health  in- 

13  fonnation  person  to  fulfill  the  requh^ments  of  tliis 

14  section.  -  '       ■  • 

15  (di  Specl\l  Rule  Rel^itixg  to  Oxg-oixg  Clixt:cal 

16  Treves . — ^^Vith  respect  to  personal  health  information 

17  that  IS  created  as  part  of  an  mdiAidual's  voluntaiy  partici- 

18  pati^tn  in  an  ongomg  clinical  trial,  access  to  the  uifonna- 

19  tion  shall  be  prijridfd  viitliin  15  business  days  after  the 

20  date  on  wiiich  the  health  infomiatitjn  person  receives  the 

21  request  or  consistent  vitli  the  inchridual's  agTcement  to 

22  participate  m  the  climcal  trial,  whichever  is  sooner.  -  - 
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1  SEC.  102.  MODIFICATIONS  TO  PERSONAL  HEALTH  INFOR- 

2  MATION. 

3  (a)  In  General. — Not  later  than  15  business  days, 

4  or  earlier  if  the  Secretary  determines  appropriate,  after 

5  the  date  on  which  a  health  information  person  receives 

6  from  an  individual  a  request  in  wi'iting  to  supplement,  cor- 

7  rect,  amend,  segregate,  or  remove  personal  health  infor- 

8  mation  that  the  person  holds,  uses,  or  discloses  concerning 

9  the  individual,  such  person — 

10  (1)  shall,  subject  to  subsections  (b)  and  (c), 

11  modify  the  information,  by  adding  the  requested 

12  supplement,  correction,  or  amendment  to  the  infor- 

13  mation,  or  by  removing  any  information  that  has 

14  l)een  requested  to  be  destroyed; 

15  (2)  shall  inform  the  individual  that  the  modi- 

16  fication  has  been  made;  and  , 

17  (3)  shall  make  reasonable  efforts  to  inform  any 

18  person  to  which  the  portion  of  the  unmodified  infor- 

19  mation  was  previously  disclosed,  of  any  substantive 

20  modification  that  has  been  made. 

21  (b)  Refusal  To  Modify. — If  a  health  information 

22  person  declines  to  make  the  modification  requested  under 

23  subsection  (a)  within  15  business  days  after  receipt  of 

24  such  request,  such  person  shall  inform  the  individual  in 

25  witing  of — 
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1  (li  the  reasons  for  decliiiiiig  to  make  the  modi- 

2  fieatioii: 

3  (2 )  any  procedm-es  for  fiiither  review  of  the  de- 

4  chning  of  snch  modification:  and 

5  (3)  the  InchTidnaFs  rigrht  to  file  vdth  the  person 

6  a   concise  statement  setthig:  fortli  the  requested 

7  modification  and  the  individnal's  reasons  for  dis- 

8  agi'eeing:  with  the  dechTiing  person  and  the  indi^id- 

9  ual's  lig-ht  to  mcliide  a  copy  of  this  refiisal  in  the 

10  health  record  set  (as  defined  in  section  171;  17)) 

1 1  conceiTiing  the  individual. 

12  (c)  Statement  of  Disageeeiient. — ^If  an  indi- 


13  Tidual  has  filed  with  a  health  information  person  a  state- 

14  ment  of  disa.gi'eement  under  subsection  (b)(3).  the  person. 

15  in  any  subsequent  diseiosui'e  of  the  disputed  portion  of 

16  the  information —  "  -  ' 


17  (1 1  shall  include,  at  the  individual's  recjuest.  a 

18  copy  of  the  individual's  statement  in  the  indivddual's 

19  health  record  set:  and 

20  (2  i  may  mclude  a  concise  st,atement  of  the  rea- 

2 1  sons  for  not  makmg  the  reciuested  modification. 

22  'di  EULES  GOYERXIXG  ACtEXTS. — A  person  that  is 


23  the  agent  of  a  health  information  person  shall  only  be  re- 

24  qijired  to  make  a  modification  to  personal  health  informa- 

25  non where —  ^  ;  ;     ^  i     ■■   r  - 
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1  (1)  the  personal  health  information  is  retained, 

2  distributed,  used,  or  maintained  by  the  agent;  and 

3  (2)  the  agent  has  been  asked  by  such  person  to 

4  fulfill  the  requirements  of  this  section. 

5  Subtitle  B — Security  of  Personal 

6  Health  Information 

7  SEC.  111.  NOTICE  OF  PRIVACY  PRACTICES. 

8  (a)  Preparation  op  Written  Notice. — health 

9  information  person  shall  prepare  a  wTitten  notice  of  the 

10  privacy  practices  of  such  person,  including  information 

1 1  with  respect  to  the  followdng: 

12  (1)  The  express  right  of  an  indi\ddual  to  pri- 

1 3  vacy,  security,  and  confidentiahty  with  respect  to  the 

14  disclosure  of  such  individual's  personal  health  infor- 

15  mation.  ;  i»; 

16  (2)  The  procedures  for  an  individual  to  exercise 

17  that  right  by  authorizing  disclosures  of  personal 

18  health  information,  and  to  object  to,  modify,  and  re- 

19  voke  such  authorizations. 

20  (3)  The  right  of  an  individual  to  inspect,  copy, 

21  and  modify  that  individual's  personal  health  infor- 

22  mation.  ,                               .  v 

23  (4)  The  right  of  an  individual  not  to  have  em- 

24  ployment  or  the  receipt  of  services  or  choice  of 

25  health  plan  conditioned  upon  the  execution  by  the 
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1  individual  of  an  authorization  for  disclosure,  except 

2  as  permitted  by  section  122(c). 

3  (5)  A  description  of —  . 

4  (A)  the  categories  or  types  of  employees, 

5  hy  general  categoiy  or  by  general  job  descrip- 

6  tion,  who  have  access  to  or  use  of  personal 

7  health  information  regarding  the  inchvidual; 

8  (B)  the  right  of  the  individual  to  limit  ac- 

9  cess  to  or  use  of  his  or  her  personal  health  in- 

10  formation  by  employees,  agents,  and  contractors 

11  of  the  person;  and  ■  ■ 

12  (C)  the  proeedui^es  for  effectmg  such  hmi- 

13  tations.  ' 

14  (6)  A  smiple,  concise  description  of  any  infor- 

15  mation  sv^stems  used  to  store  or  transmit  j^ersonal 

16  health  information,  including  a  description  of  any 

17  hnkages  made  vvith  other  networks,   systems,  or 

18  databases  outside  the  person's  direct  control. 

19  (7)  The  circumstances  under  wliich  the  infor- 

20  mation  vdll  be,  lavv^illy  and  actually,  used  or  dis- 

21  closed  mthout  an  authorization  executed  by  the  indi- 

22  vddual. 

23  (8)  A  statement  that,  if  an  individual  elects  to 

24  pay  for  health  care  fi'om  the  inchvidual's  ovvm  funds, 

25  that  individual  ma}^  elect  for  personal  health  mfor- 


•HE  5442  IH 


20 

1  mation,  including  any  identifying  information,  not  to 

2  be  disclosed  to  anyone  other  than  designated  health 

3  care  pro\iders,  unless  such  disclosure  is  required  by 

4  mandatory  reporting  requirements  or  other  similar 

5  information  collection  duties  required  by  law. 

6  (9)  The  right  of  the  indi\adual  to  have  contin- 

7  ued  maintenance,  distribution,  or  storage  of  that  in- 

8  di^ddual's  personal  health  information  not  condi- 

9  tioned  upon  whether  that  individual  amends  or  re- 

10  vokes  an  authorization  for  disclosure,  or  requests  a 

1 1  modification  of  personal  health  information. 

12  (10)  The  right  of  and  procedures  for  an  indi- 

13  vidual  to  request  that  personal  health  information  be 

14  transferred  to  a  third  party  person  without  unrea- 

15  sonable  delay. 

16  (11)  The  right  to  prompt  notification  of  an  ac- 

17  tual  or  suspected  security  breach  of  personal  health 

18  information,  and  how  such  breaches  will  be  remedied 

19  by  the  person. 

20  (12)  The  right  of  an  individual  to  inspect  and 

2 1  obtain  a  copy  of  records  of  authorized  and  unauthor- 

22  ized  disclosures  as  well  as  attempted  and  actual  ac- 

23  cess  and  use  by  an  authorized  or  unauthorized  per- 

24  son.      .  ^  . 
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1  (13)  The  rigiit  of  an  indhidiial  to  exercise  non- 

2  disclosiu'e  and  nonuse  rights  vdtli  respect  to  their 

3  personal  health  information,  including  the  right  to 

4  opt  out  of  any  local,  regional,  or  natiomdde  health 

5  information  netAvork  or  system  that  is  nsed  by  the 

6  person.  -  - ' 

1  (b)  Proatsion  axd  Posting  of  AVrittex  No- 

8  TK'E. —  ■     '                  '      '      -  ' 

9  (1)  Peo\7SIOX. — heahh  information  person 

10  shaU  provide  in  AATiting  a  copy  of  the  notice  of  pri- 

1 1  vacy  practices  required  mider  subsection  ( a ) — 

12  (A)  at  the  first  contact  bet^veen  the  indi- 

13  \idual  and  the  person;  and 

14  (B)  upon  the  reqtiest  of  an  inchAidual. 

15  (2)   POSTIXG. — A  heahh   information  person 

16  shall  post,  in  a  clear  and  conspicuous  manner,  a 

17  l)rief  summaiy  of  the  privacy  practices  of  the  person. 

18  (c)  :Model  Notice. — The  Secretaiy.  in  consultation 


19  v.ith  the  Director  of  the  Office  of  Health  Information  Pri- 

20  vacy,  after  notice  and  opportunity  for  public  conmient. 

21  sliaU  develop  and  chsseminate  model  notices  of  privacy 

22  practices,  and  model  summaiy  notices  for  posting  for  use 

23  under  tins  section.  Use  of  such  model  notice  shall  be 

24  deemed  to  satisfy  the  reciuirements  of  this  section. 
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1    SEC.  112.  ESTABLISHMENT  OF  SAFEGUARDS. 


2  (a)   In  General. — health  information  person 

3  shall — 

4  (1)  establish  and  maintain  appropriate  adminis- 

5  trative,  organizational,  technical,  and  physical  safe- 

6  g:uards  and  procedures  to  ensure  the  privacy,  con- 

7  fidentiality,  security,  accuracy,  and  integrity  of  per- 

8  sonal  health  information  that  is  accessed,  main- 

9  tained,   retained,   modified,   recorded,   stored,  de- 

10  stroyed,  or  otherwise  held,  used,  or  disclosed  by  such 

11  person;  and 

12  (2)  employ  an  indiA^dual  whose  responsibilities 

13  include  the  management  of  the  person's  information 

14  security. 

15  (b)  Factors  To  Be  Considered. — The  pohcies  and 

16  safeguards  established  under  subsection  (a)  shall  ensure 

17  that— 

18  (1)  personal  health  information  is  used  or  dis- 

19  closed  only  with  informed  consent  (as  defined  in  sec- 

20  tion  171(19)); 

21  (2)  the  categories  of  personnel  who  will,  with 

22  the  informed  consent  of  the  incUvidual,  have  access 

23  to  personal  health  information  are  identified; 

24  (3)  the  feasibility  of  hmiting  access  to  personal 

25  health  information  is  considered; 
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1  (-±1  tlie  prh-acy.  seeiirity.  and  eoiifidentialiTy  of 

2  personal  health  inf'ormatiijn  is  mainTanied: 

3  (5 1  personal  health  uifbrmation  is  protected 

4  a.gamst  any  reasonably  anticipated  ^Tilnerabilities  to 

5  the  privacy,  seciuit}'.  or  integrity-  of  such  uiforma- 

6  tion:  and  -  '            •        '    "  " 

7  lb!   personal  health  inhjrniation  is  protected 

8  agrainst  imauthorized  access,  use,  or  misuse  of  such 

9  infomiaticm. 

10  'ri  ^LjDEL  GriDELiXES. — The  Secretaiy.  m  con- 


1 1  sultation  with  the  Direct i:ir  of  the  Office  of  Health  Inf  jr- 

12  niation  Privacy  appointed  tuider  section  161.  after  notice 

13  and  opportunity  for  piibhc  cormnent.  in  accordance  vitli 

14  the  requirements  of  chapter  5  of  title  5.  Umted  States 

15  Code.  sliaU  develop  and  disseminate  model  guidelines  for 

16  the  estabhslmient  of  safeguards  and  procedtu^s  for  use 

17  under  tins  section,  such  as.  where  appropriate,  hidiridual 

18  autlifnticatiijn  oi  uses  of  computer  systems,  access  con- 

19  trols.  audit  trails,  encnption  or  any  adchtional  security 

20  meth':M;loLjgy  or  teclmolosr^'  other  than  encnption  winch 

21  renders  data  in  electronic  form  luueadaljle  or  indecipher- 

22  able,  physical  securirv'.  protection  of  remote  access  pohits 

23  and  protection  of  external  electromc  coimimnications.  peri- 

24  ochc  secmity  assessments,  incident  reports,  and  sanctions. 

25  The  Secretaiy.  in  consultation  with  the  Duector.  shaU  up- 
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1  date  and  disseminate  the  guidelines,  as  appropriate,  to 

2  take  advantage  of  new  technologies,  so  as  to  ensure  that 

3  the  guidelines  emphasize  the  need  for  stringent  privacy, 

4  security,  and  confidentiality  safeguards  and  procedures. 

5  (d)  Review  and  Updating  of  Safeguards. — Per- 

6  sons  subject  to  this  title  shall  monitor,  evaluate,  and  ad- 

7  just,  as  appropriate,  all  safeguards  and  procedures,  con- 

8  comitant  with  relevant  changes  in  technolog)^,  the  sensi- 

9  tivity  of  personally  identifiable  information,  internal  or  ex- 

10  ternal  threats  to  personally  identifiable  information,  and 

11  any  changes  in  the  contracts  or  business  of  the  person. 

12  For  the  purpose  of  reviemng  and  updating  safeguards,  the 

13  Secretaiy  may  provide  technical  assistance  to  health  infor- 

14  mation  persons,  as  appropriate. 

15  SEC.  113.  NOTIFICATION  IN  THE  CASE  OF  BREACH. 

16  (a)  In  GeneraIj. — health  information  person  that 

17  accesses,  maintains,  retains,  modifies,  records,  stores,  de- 

18  stroys,  or  othei-wise  holds,  uses,  or  discloses  personal 

19  health  information  shall,  following  the  discoveiy  of  a  secu- 

20  rity  breach  (as  defined  in  section  171(28))  of  such  infor- 

21  mation,  notify  each  individual  whose  personal  health  infor- 

22  mation  has  been,  or  is  reasonably  believed  to  have  been, 

23  accessed,  or  acquired  during  such  breach. 

24  (b)  Obligation  of  Owner  or  Licensee. — 
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1  (1)  Notice  to  owner  or  licensee. — ^Aiiy 

2  person  engaged  in  interstate  commerce,  that  uses, 

3  accesses,  transmits,  stores,  disposes  of,  or  collects 

4  personal  health  information  that  the  person  does  not 

5  own  or  license  shall  notify  the  omier  or  licensee  of 

6  the  information  following  the  discovery  of  a  security 

7  breach  involving  such  information.  • 

8  (2)  Notice  by  ower,  licensee,  or  other 

9  DESIGNATED  THIRD  PARTY. — Nothing  in  this  sub- 

10  title  shall  be  construed  to  prevent  or  abrogate  an 

11  agreement  between  a  person  required  to  give  notice 

12  under  this  section  and  a  designated  third  party,  in- 

13  eluding  an  owner  or  licensee  of  the  personal  health 

14  information  subject  to  the  security  breach,  to  pro- 

15  vide  the  notifications  required  under  subsection  (a). 

16  (3)  Person  relie\^d  from  giving  notice.— 

17  A  person  obligated  to  give  notice  under  subsection 

18  (a)  shall  be  relieved  of  such  obligation  if  an  owner 

19  or  licensee  of  the  personal  health  information  subject 

20  to  the  security  breach,  or  other  designated  third 

21  party,  provides  such  notification. 

22  (c)  Timeliness  of  Notification. — 

23  (1)   In  general. — ^All  notifications  required 

24  under  this  section  shall  be  made  within  15  business 

25  days,  or  earlier  if  the  Secretary  determines  appro- 
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1  priate,  followdng  the  discovery  by  the  person  of  a  se- 

2  curity  breach. 

3  (2)  Burden  of  proof. — The  person  required 

4  to  provide  notification  under  this  section  shall  have 

5  the  burden  of  demonstrating  that  all  notifications 

6  were  made  as  required  under  this  subtitle,  including 

7  evidence  demonstrating  the  necessity  of  any  delay. 

8  (d)  Methods  of  Notice. — person  described  in 

9  subsection  (a)  shall  provide  to  an  individual  the  following 

10  forms  of  notice  in  the  case  of  a  security  breach: 

11  (1)     iNDmDUAlj    NOTICE. — Notice  required 

12  under  this  section  shall  be  provided  in  such  form  as 

13  the  individual  selects,  including — 

14  (A)  witten  notification  to  the  last  known 

15  home  mailing  address  of  the  individual  in  the 

16  records  of  the  person; 

17  (B)  telephone  notice  to  the  individual  per- 

18  sonally;  or  ■ 

19  (C)  e-mail  notice,  if  the  individual  has  con- 

20  sented  to  receive  such  notice  and  the  notice  is 

21  consistent  with  the  provisions  permitting  elec- 

22  tronic  transmission  of  notices  under  section  101 

23  of  the  Electronic  Signatures  in  Global  and  Na- 

24  tional  Commerce  Act  (15  U.S.C.  7001). 
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1  (2)  Media  notice. — ^Notice  shall  be  proTided 

2  to  promiiieiit  media  oatiets  serving  a  State  or  jnris- 

3  dietioiL,  if  the  personal  health  information  of  more 

4  than  500  residents  of  such  State  or  jorisdietion  is, 

5  or  is  reasonabbr  beheved  to  have  been,  acquired  by 

6  ammanthorized  person. 

7  (3)  Notice  to  seceetakt. — Notice  shall  be 

8  provided  to  the  Seeretarr  for  health  information  per- 

9  sons  that  have  lost,  stolen,  disclosed,  or  nsed  in  an 

10  xmanthorized  manner  or  for  an  nnanthoiized  pnr- 

11  pose  the  personal  health  information  of  a  significant 

12  niunber  of  individnals. 

13  (e)  Coj^TENT  OF  MonETGAnON. — Eegardless  of  the 

14  method  hj  Tdiieh  notice  is  provided  to  individuals  mider 

15  this  section,  notice  of  a  seenritf  breach  shall  inehide^  to 

16  the  extent  possible — 

17  (1)  a  description  of  the  pem)nal  health  infor- 

18  mation  tiiat  has  been,  or  is  reasonabfy  befieved  to 

19  have  been,  accessed,  disclosed,  or  otherwise  used  by 

20  an  nnanthorized  person; 

21  (2)  a  toll-free  nnmber  that  the  indrddnal  may 

22  nse  to  contact  the  person  described  in  subsection  (a) 

23  to  learn  \diat  types  of  personal  health  information 

24  ~tiie  person  maintained  about  that  individoal;  and 
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1  (3)  toll-free  contact  telephone  numbers  and  ad- 

2  dresses  for  major  credit  reporting  agencies. 

3  (f)  Delay  op  Notification  Authorized  for  Law 

4  Enforcement  Purposes. — 

5  (1)  In  general. — If  a  Federal  law  enforce- 

6  ment  agency  determines  that  the  notification  re- 

7  quired  under  this  section  would  impede  a  criminal 

8  investigation  or  cause  damage  to  national  security, 

9  such  notification  shall  be  delayed  upon  written  no- 

10  tice  from  the  Federal  law  enforcement  agency  to  the 

11  person  that  experienced  the  breach.  . 

12  (2)  Extended  delay  of  notification. — If 

13  the  notification  required  under  subsection  (a)  is  de- 

14  layed  pursuant  to  paragraph  (1),  a  person  shall  give 

15  notice  not  later  than  30  days  after  such  law  enforce- 

16  ment  delay  was  invoked  unless  a  Federal  law  en- 

17  forcement  agency  pro\'ides  written  notification  that 

18  further  delay  is  necessary.  8 

19  SEC.  114.  TRANSPARENCY. 

20  (a)  Public  List  of  Data  Partners. — 

21  (1)  In  generaIj. — A  health  information  person 

22  shall  establish  a  hst  of  data  partners  (as  defined  in 

23  paragraph  (2))  with  which  such  person  has  entered 

24  into  a  contract  or  relationship  for  the  purposes  of 

25  providing  semces  involving  any  personal  health  in- 
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1  formation  held,  used,  or  disclosed  by  the  person. 

2  Such  list  and  the  contact  information  for  each  part- 

3  ner  shall  be  made  publicty  accessible  on  the  Internet. 

4  (2)  Data  partner  defined. — In  paragraph 

5  (1),  the  term  "data  partner"  means  a  data  bank, 

6  data  warehouse,  information  clearinghouse,  record 

7  locator  system,  or  other  business  entity,  which  for 

8  monetaiy  fees,  dues,  or  on  a  cooperative  nonprofit 

9  basis,  engages  in  the  practice  of  accessing,  col- 

10  lecting,  maintaining,  modifying,  storing,  recording, 

11  transmitting,  destro}dng,  or  othen^dse  using  or  dis- 

12  closing  the  personal  health  information  of  indi^dd- 

13  uals.  Any  person  maintaining  personal  health  infor- 

14  mation  for  the  purposes  of  making  such  information 

15  aA-ailable  to  the  individual  or  the  health  care  pro- 

16  Alder,  including  persons  furnishing  free  or  paid  per- 

17  sonal  health  records,  electronic  health  records,  elec- 

18  tronic  medical  records,  and  related  products  and 

19  sendees,  shall  be  deemed  to  be  a  data  partner  sub- 

20  ject  to  the  requirements  of  this  title. 

21  (b)  Subcontracting  and  Outsourcing  Oveb.- 

22  SEAS. — In  the  event  a  health  information  person  contracts 

23  \Yith  sendee  provdders  not  subject  to  this  title,  including 

24  sendee  provdders  operating  in  a  foreign  comitry,  such  per- 

25  son  shaU —  i  :  ■ 
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1  (1)  take  reasonable  steps  to  select  and  retain 

2  third  party  service  providers  capable  of  maintaining 

3  appropriate  safeguards  for  the  security,  privacy,  and 

4  integi'ity  of  personal  health  information; 

5  (2)  require  by  contract  that  such  service  pro- 

6  viders  implement  and  maintain  appropriate  meas- 

7  ures  designed  to  meet  the  requirements  applicable  to 

8  health  information  persons  under  this  title; 

9  (3)  be  held  liable  for  any  violation  of  this  title 

10  by  an  overseas  service  provider  or  other  provider  not 

11  subject  to  this  title;  and 

12  (4)  in  the  case  of  a  seMce  provider  operating 

13  in  a  foreign  country,  obtain  the  informed  consent  of 

14  the  individual  involved  prior  to  outsourcing  such  in- 

15  dividual's  personal  health  information  to  such  pro- 

16  vider. 

17  (c)  List  of  Persons. — The  Secretary  shall  maintain 

18  a  public  list  identifying  health  information  persons  that 

19  have  lost,  stolen,  disclosed,  or  used  in  an  unauthorized 

20  manner  or  for  an  unauthorized  purpose  the  personal 

21  health  information  of  1,000  or  more  individuals.  The  list 

22  shall  include  how  many  individuals  were  affected  by  such 

23  action  and  be  displayed  on  the  Web  site  of  the  Department 

24  of  Health  and  Human  Sei^ces.  < 
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1  SEC.  115.  RISK  MANAGEMENT. 

2  (a)  Ix  Gexeral. — Each  health  information  person 

3  shall  establish  risk  management  and  control  processes  to 

4  protect  against  anticipated  \Tilnerabilities  to  the  privacy, 

5  security,  and  mtegTity  of  personal  health  information  that 

6  the  person  accesses,  holds,  uses,  or  discloses. 

7  (b)  Risk  Assessment. — A  health  information  person 

8  shall  perform  ammal  risk  assessments  of  procedures,  sys- 

9  tems,  or  net^vorks  im'olved  in  the  creation,  accessing, 

10  mamtenance,  retention,  modification,  recording,  storage, 

1 1  distribution,  destmction.  or  other  use  or  disclosure  of  per- 

12  sonal  health  information.  Such  risk  assessment  shaU  in- 

13  elude— 

14  (1)  identifying  reasonably  foreseeable  internal 

15  and  external  ATilnerabilities  that  could  result  in  inac- 

16  cui^acy  or  in  unauthorized  access,  disclosure,  use,  or 

17  modification  of  personal  health  information,  or  of 

18  systems  containing  personal  health  information; 

19  (2)  assessmg  the  likeliliood  of  and  potential 

20  damage  fi^om  maccuracy  or  from  unauthorized  ac- 

21  cess,  disclosure,  use,  or  modification  of  personal 

22  health  hiformation; 

23  (3)  assessing  the  sufficiency  of  policies,  tecli- 

24  nologies,  and  safeguards  in  place  to  enable  comph- 

25  ance  vdth  mdi^iduals"  informed  consent  to  the  ac- 

26  cess,  disclosui'e,  use,  or  modification  of  theii'  per- 
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1  sonal  health  information  and  minimize  and  control 

2  risks  from  unauthorized  access,  disclosure,  use,  or 

3  modification  of  individuals'  personal  health  informa- 

4  tion;  and 

5  (4)    assessing   the   wlnerability   of  personal 

6  health  information  during  destruction  and  disposal 

7  of  such  information,  including  through  the  disposal 

8  or  retirement  of  hardware.  ^  ' 

9  (c)  Risk  Management. — health  information  per- 

10  son  shall  establish  risk  management  and  control  proce- 

11  dures  designed  to  control  risks  such  as  those  identified 

12  in  subsection  (b).  Such  procedures  shall  include — 

13  (1)  a  means  for  the  detection  and  recording  of 

14  actual  or  attempted,  unauthorized,  fraudulent,  or 

15  othe™se  unlawful  access,  disclosure,  transmission, 

16  modification,  use,  or  loss  of  personal  health  informa- 

17  tion; 

18  (2)  procedures  for  ensuring  the  secure  disposal 

19  of  personal  health  information; 

20  (3)  a  means  for  limiting  physical  access  to 

21  hardware,  software,  data  storage  technology,  sei-vers, 

22  systems,  or  networks  by  unauthorized  persons  in 

23  order  to  minimize  the  risk  of  information  disclosure, 

24  modification,  transmission,  access,  use,  or  loss; 
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1  (4)  proAidiiig-  appropriate  risk  management  and 

2  control  training  for  employees:  and 

3  (5)  earning  out  annual  testing  of  such  risk 

4  management  and  control  procedures. 

5  SEC.  116.  ACCOUNTING  FOR  DISCLOSURES  AND  USE. 

6  (a)  In  Gexer.\l. — A  health  information  person  shall 

7  estabhsh  and  maintain.  A\ith  respect  to  any  personal 

8  health  information  chsclosure.  a  record  of  each  disclosure 

9  in  accordance  A\ith  regulations  promulgated  by  the  Sec- 

10  retaiy  in  consultation  ^^ith  the  Director  of  the  Office  of 

1 1  Health  Information  Privacy.  Such  record  shah  include  the 

12  purpose  of  any  disclosure  and  the  identity  of  the  specific 

13  individual  executing  the  chsclosure.  as  weU  as  the  person 

14  to  wliich  such  information  is  disclosed. 

15  (b)  ]\L\IXTEX.\XCE  OF  Record. — A  record  estab- 

16  lished  under  subsection  (a J  shaU  be  mauitamed  for  not  less 

17  than  6  years. 

18  (c)  Electronic  Records. — A  heahh  information 

19  person  shall,  to  the  maximum  extent  practicable,  maintain 

20  an  accessible  electronic  record  concerning  each  access,  use. 

21  or  disclosure,  whether  authorized  or  unauthorized  and 

22  whether  successful  or  unsuccessful,  of  personal  health  in- 

23  formation  maintained  liy  such  person  in  electronic  form. 

24  The  record  shall  include  the  identities  of  the  specific  indi- 

25  vi duals  (or  a  way  to  identify'  such  inch\iduals,  or  uii'orma- 
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1  tion  helpful  in  determining-  the  identities  of  such  individ- 

2  nals)  who  access  or  seek  to  gain  access  to,  use  or  seek 

3  to  use,  or  disclose  or  seek  to  disclose,  information  suffi- 

4  cient  to  identify  the  personal  health  information  sought 

5  or  accessed,  and  other  appropriate  information. 

6  (d)  Access  to  Records. — health  information  per- 

7  son  shall  permit  an  individual  who  is  the  subject  of  per- 

8  sonal  health  information,  or  the  individual's  designee,  to 

9  inspect  and  copy  the  records  created  in  subsections  (a) 

10  and  (c). 

1 1  Subtitle  C — Use  and  Disclosure  of 

12  Personal  Health  Information 

13  CHAPTER  1— GENERAL  RESTRICTIONS 

14  SEC.  121.  GENERAL  RULES  REGARDING  USE  AND  DISCLO- 

15  SURE. 

16  (a)  Prohibition. —  ^ 

17  (1)  General  rule. — person  may  not  dis- 

18  close,  access,  or  use  personal  health  information  ex- 

19  cept  as  authorized  under  this  title.  .  . 

20  (2)  Rule  op  construction. — Disclosure  or 

21  use  of  health  information  that  meets  the  standards 

22  of  being  de-identified  health  information  shall  not  be 

23  construed  as  a  disclosure  or  use  of  personal  health 

24  information.  / 

25  (b)  Scope  op  Disclosure  or  Use. — 
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1  (1)  In  generaIj. — disclosure  or  use  of  per- 

2  sonal  health  mformation  under  this  subtitle  shall  be 

3  limited  to  the  minimum  amount  of  information  nee- 

4  essar}^  to  accomplish  the  purpose  for  which  the  dis- 

5  closure  or  use  is  made,  such  as  the  indiAddual's  name 

6  and  addiTss,  date  of  sendee,  place  of  service,  type  of 

7  sendee,  cost  of  sendee,  and  diagnosis. 

8  (2)  Determination. — The  determination  as  to 

9  what  constitutes  the  minimum  disclosure  or  use  pos- 

10  sible  for  purposes  of  paragraph  (1)  shall  be  made  by 

1 1  the  indi^ddual  or  entity  holding  the  information.  The 

12  minimum  necessary  standard  is  intended  to  be  con- 

13  sistent  \\dth,  and  not  override,  professional  judgment 

14  and  standards. 

15  (c)  Use  or  Disclosure  for  Purpose  Only. — 

16  (1)  In  GENERtVij. — ^An  authorized  recipient  (as 

17  defined  in  paragraph  (2))  of  information  pursuant  to 

18  this  subtitle  may  use  or  disclose  such  information 

19  solely  to  carry  out  the  purpose  for  which  the  infor- 

20  mation  was  disclosed,  except  as  provided  in  section 

21  143. 

22  (2)   Authorized   recipient   defined. — In 

23  paragraph    (1),    the   term   "authorized  recipient" 

24  means  a  person  granted  the  authority  by  an  indi- 

25  vidual,  in  accordance  with  this  title,  to  access,  main- 
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1  tain,  retain,  modify,  record,  store,  destroy,  or  other- 

2  wise  use  the  indiiidual's  personal  health  information 

3  through  an  authorized  disclosure. 

4  (d)  No  GeneriVl  Requirement  To  Disclose. — 

5  Nothing  in  this  subtitle  permitting  the  disclosure  of  per- 

6  sonal  health  information  shall  be  construed  to  require  such 

7  disclosure. 

8  (e)  Identification  of  Disclosed  Information  as 

9  Personal  Health  Information. — Personal  health  in- 

10  formation  disclosed  or  used  pursuant  to  this  subtitle  shall 

11  be  clearly  identified  and  labeled  as  personal  health  infor- 

12  mation  that  is  subject  to  this  title.  -  : 

13  (f)  Disclosure  or  Use  by  Agents. — ^An  agent, 

14  employee,  or  affiliate  of  a  health  information  person  that 

15  accesses,  seeks  to  access,  obtains,  discloses,  uses,  or  re- 

16  ceives  personal  health  information  from  such  person,  shall 

17  be  subject  to  this  subtitle  to  the  same  extent  as  the  person. 

18  (g)  Disclosure  or  Use  by  Others. — person  re- 

19  ceiving  personal  health  information  initially  held  by  a  per- 

20  son  described  in  subsection  (f)  shall  be  subject  to  this  sub- 

21  title  to  the  same  extent  as  the  person  described  in  sub- 

22  section  (f). 

23  (h)  Creation  of  De-Identified  Information. — 

24  Notwithstanding  subsection  (c),  but  subject  to  the  other 

25  provisions  of  this  section,  a  person  described  in  subsection 
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1  (f)  may  disclose  personal  health  information  to  an  em- 

2  ployee  or  other  agent  of  the  person  for  purposes  of  cre- 

3  ating  de-identified  information. 

4  (i)  Unauthorized  Use  or  Disclosure  of  the 

5  Decryption  Key. — The  unauthorized  disclosure  of  a 

6  decrs^tion  key  (as  defined  in  section  171{7))  or  other  sec- 

7  ondarv^  or  tertiar}^  means  for  accessing  personal  health  in- 

8  formation  shall  be  deemed  for  purposes  of  this  subtitle  to 

9  be  a  disclosure  of  personal  health  information.  The  unau- 

10  thorized  use  of  a  decryption  key  (or  other  secondary  or 

1 1  tertiary  means  for  accessing  personal  health  information) 

12  or  de-identified  health  information  in  order  to  identify  an 

13  individual  is  deemed  for  purposes  of  this  subtitle  to  be  dis- 

14  closure  of  personal  health  information. 

15  (j)  No  Wai\ter. — Except  as  provided  in  this  title,  an 

16  informed  consent  or  other  authorization  to  disclose  or  use 

17  personally  identifiable  health  information  executed  by  an 

18  individual  pursuant  to  this  subtitle  shall  not  be  construed 

19  as  a  waiver  of  any  rights  that  the  individual  has  under 

20  other  Federal  or  State  laws,  the  rules  of  evidence,  or  com- 

21  mon  law.  '                :       .  ! 

22  (k)  Opt-in  to  Network  Sharing. — 

23  (1)  In  generaIj. — Before  a  health  information 

24  person    may   share   personal   health  information, 

25  through  disclosure,  access,  use,  or  otherv^dse,  mth  a 
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1  health  information  network  or  system,  the  indi^ddual 

2  must  opt  in  to  the  sharing  of  such  information  with 

3  such  network  or  system. 

4  (2)  Health  information  network  or  sys- 

5  TEM  defined. — In  this  subsection,  the  term  "health 

6  information  network  or  system"  means  an  interoper- 

7  able  health  information  infi-astructure  consisting  of 

8  health  information  systems  and  other  networks  that 

9  connect  providers,  consumers,  and  others  involved  in 

10  supporting' health  and  health  care.  >:  :  :    ■     •  ■ 

11  (1)  Disposal  of  Data. — To  prevent  the  unauthor- 

12  ized  disclosure  or  use  of  personal  health  information,  such 

13  information,  when  disposed  of,  shall  be  de-identified,  de- 

14  stroyed,  or  ex})unged  from  any  electronic,  paper,  or  other 

15  files  and  documents  maintained  by  authorized  persons  to 

16  make   such   information   permanently  unreadable  and 

17  undecipherable. 

18  (m)    Obligations   of   Unauthorized  Recifi- 

19  ENTS. — person  that  obtains,  accesses,  or  receives  per- 

20  sonal  health  information  and  that  is  an  unauthorized  re- 

21  cipient  of  such  information  may  not  access,  maintain,  re- 

22  tain,  modify,  record,  store,  destroy,  or  otherwise  use  or 

23  disclose  such  information  for  any  purposes,  and  use  or  dis- 

24  closure  of  personal  health  information  under  such  cir- 

25  cumstances  shall  be  deemed  for  purposes  of  this  subtitle 
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1  an  nnauThorized  disclosure  of  personal  health  infonnation, 

2  unless  the  chsclosm^e  is  for  the  purpose  of  informing  the 

3  Seeretaiy.  law  enforcement  authorities,  or  CongTess  of  the 

4  person's  unauthorized  receipt  of  the  personal  health  infor- 

5  rnation.  ■ 

6  SEC.  122.  INFORMED  CONSENT  FOR  DISCLOSURE  OF  PER- 


7  SONAL  HEALTH  INT0R3L\TI0N  FOR  TREAT- 

8  MENT  AND  PAYMENT. 

9  (a)   Requireaiexts  Relating  to  Ewloyers, 

10  Health  Plans.  He^vlth  or  Life  Insurers.  Untn- 

11  si-red  and  Self-Pay  Indutduai.s.  and  Pro^tders. — 

12  (1)  In  GENEPvAL. — ^An  employer,  health  plan, 

13  health  or  life  mstu-er.  or  health  care  provider  that 

14  seeks  to  chsclose  personal  health  uiformation  in  con- 

15  nection  ^nth  treatment  or  pa^xnent  shall  obtain  in- 

16  formed  consent  'as  defined  in  section  171il9ii  from 

17  the  s-ul3ject  of  such  personal  health  uh:'orniation  that 

18  satisfies  the  reqiurements  of  tins  section.  A  single 

19  consent  may  authorize  multiple  chsclosures. 

20  (2)  Health  puans.  health  or  life  insur- 

21  ERs. — Eveiy  health  plan  or  health  or  hfe  msurer  of- 

22  fermg   em'-oUment    to    inch\idual    or  nonemployer 

23  groups  sliaU.  at  the  time  of  emxiUment  in  the  plan 

24  or  uisiu'ance.  obtain  an  informed  consent  for  the  use 

25  and  disclosiu-e  of  personal  health  information  \\-ixh. 
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1  respect  to  each  indmdual  who  is  ehgible  to  receive 

2  care  or  benefits  under  the  plan  or  insurance. 

3  (3)   Uninsured  and   self-pay. — ^An  origi- 

4  nating-  pro^dder  that  pro\ddes  health  care  in  other 

5  than  a  network  plan  setting,  or  provides  health  care 

6  to  an  uninsured  indi\idual,  shall  obtain  an  informed 

7  consent  for  access  to  or  use  of  personal  health  infor- 

8  mation  in  providing  health  care  or  arranging  for 

9  health  care  from  other  pro\dders  or  seeking  payment 

10  for  the  provision  of  health  care  ser\dces.  -     /  • 

11  (4)  PRO\aDERS. — Every  health  care  provider 

12  that  pro\ides  health  care  to  an  individual  that  has 

13  not  been  given  the  appropriate  prior  consent  under 

14  this  section,  shall  at  the  time  of  providing  such  care, 

15  or  at  such  time  as  is  practicable  if  services  are  nec- 

16  essaiy  prior  to  the  opportunity  to  obtain  consent,  ob- 

17  tain  an  informed  consent  for  the  use  and  disclosure 

18  of  personal  health  information  with  respect  to  such 

19  individual. 

20  (b)  Requirements  for  Individual  Informed 

21  Consent. — To  satisfy  the  requirements  of  this  sub- 

22  section,  an  informed  consent  from  an  individual  to  disclose 

23  the  indi^ddual's  personal  health  information  shall — 

24  '  (1)  identify,  by  general  job  description  or  other 

25  functional  description  and  by  geographic  location, 
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1  those  persons  that  are  authorized  to  disclose  the  in- 

2  formation,  including  entities  employed  by  a  person 

3  authorized  to  disclose  the  information; 

4  (2)  describe  the  specific  nature  of  the  informa- 

5  tion  to  be  disclosed; 

6  (3)  identify,  by  general  job  description  or  other 

7  functional  description  and  by  geogTaphic  location, 

8  those  persons  to  which  the  information  wiW  be  dis- 

9  closed,  including  entities  employed  by  a  person  to 

10  which  information  is  authorized  to  be  disclosed; 

11  (4)  describe  the  purpose  of  the  disclosures; 

12  (5)  permit  the  executing  indi^ddual  to  indicate 

13  that  a  particular  person  or  class  of  persons  (a  group 

14  of  persons  vAth  similar  roles  or  functions)  listed  on 

15  the  informed  consent  is  not  authorized  to  receive 

16  personal  health  information  concerning  the  indi- 

17  \idual,  except  as  pro^dded  for  in  subsection  (c)(3); 

18  (6)  provide  the  means  by  which  an  indi^ddual 

19  may  indicate  that  some  of  the  individual's  personal 

20  health  mformation  should  be  segregated  and  to  what 

21  persons  or  classes  of  persons  such  segregated  infor- 

22  mation  may  be  disclosed; 

23  (7)  be  subject  to  revocation  by  the  individual 

24  and  indicate  that  the  informed  consent  is  valid  until 
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1  revocation  by  the  individual  or  until  an  event  or  date 

2  specified; 

3  (8)(A)  be  in  witing,  dated,  and  signed  by  the 

4  indi^ddual;  and 

5  (B)  not  have  been  revoked  under  subsection  (f); 

6  (9)  describe  the  procedure  by  which  an  indi- 

7  vidual  can  amend  an  informed  consent  previously  ob- 

8  tained  by  a  person; 

9  (10)  describe  the  extent  to  which  the  authorized 

10  person  mil  share  information  with  sub-contracted 

11  persons,  and  the  geographic  location  of  sub-con- 

12  tracted  persons,  including  those  operating  or  located 

13  overseas,  except  that  the  authorized  person  shall  ob- 

14  tain  the  informed  consent  of  the  indi^ddual  involved 

15  prior   to    outsourcing    such    individual's  personal 

16  health  information  to  a  sub-contracted  person  oper- 

17  ating  or  located  overseas;  and 

18  (11)  describe  the  nature  and  probability  of 

19  harm  to  the  individual  resulting  from  the  informed 

20  consent  for  use  or  disclosure,  consistent  with  the 

21  principle  of  informed  consent. 

22  (c)  Limitation  on  Informed  Consent. — 

23  (1)  In  general. — Subject  to  paragraphs  (2) 

24  and  (3),  a  health  information  person  that  seeks  in- 

25  formed  consent  under  this  subtitle  may  not  condition 
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1  the  deliveiy  of  treatment  or  pa^^nent  for  senices  on 

2  the  receipt  of  such  an  mformed  consent. 

3  (2)  Eight  to  reqltre  self-pay^iext. — 

4  (A)  Ix  GEXERAL. — If  an  mdmdual  has  re- 

5  fused  to  provide  an  uiformed  consent  for  disclo- 

6  sure  of  achiunistrative  bilhng  mformation  (as 

7  defined  m  subparagxaph  (B))  to  a  person  and 

8  such  uiformed  consent  is  necessaiy  for  a  heahh 

9  cai'e  provider  to  receive  payment  for  sei-^ices  de- 

10  hvered.  the  heahh  care  provider  may  reciuire 

11  the  individual  to  pay  fi'om  theu  ovni  fimds  for 

12  the  senices. 

13  (B)  Ad^mixistratr^e  bellixg  ixfor^li- 

14  TIOX. — In  subparagraph  (A),  the  term  "adniin- 

15  istrative  bilhng  information"  means  any  of  the 

16  foUowing  forms  of  personal  heahh  uiformation: 

17  (i)  Date  of  senice.  pohcy.  patient 

18  identifiers,  and  practitioner  or  faeihtj'  iden- 

19  tifiers. 

20  (u)  Diagnostic  codes,  in  accordance 

21  Tdth   medicare   biUing   codes,   for  wliich 

22  treatment  is  loeing  rendered  or  requested. 

23  '    -  (in)  Complexity  of  senice  codes,  indi- 

24  —  eating  dm^ation  of  treatment. 

25  (iv)  Total  bihed  charges. 
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1  (3)  Right  of  health  care  PRcmDEE  to  re- 

2  QUIRE  INFORMED  CONSENT  FOR  TREATMENT  FUR- 

3  POSES. — If  a  health  care  pimider  that  is  seeking-  an 

4  informed  consent  for  disclosure  of  an  individual's 

5  personal  health  information  believes  that  the  disclo- 

6  sure  of  such  information  is  necessary  so  as  not  to 

7  endanger  the  health  or  treatment  of  the  individual, 

8  and  if  the  witliliolding  of  semces  will  not  endanger 

9  the  life  of  the  indi\ddual,  the  health  care  pro\ider 

10  may  condition  the  pro\dsion  of  semces  upon  the  in- 

11  di\iduars  execution  of  an  informed  consent  to  dis- 

12  close  personal  health  information  to  the  minimum 

13  extent  necessary. 

14  (4)    Informed    consents    for  payment 

15  UNDER  C!ERT^iiN  CIRCUMSTANCES. — If  an  individual 

16  is  in  a  physical  or  mental  condition  such  that  the  in- 

17  dividual  is  not  capable  of  authorizing  the  disclosure 

18  of  personal  health  information  and  no  other  arrange- 

19  ments  have  been  made  to  pay  for  the  health  care 

20  sei-vices  being  rendered  to  the  patient,  such  informa- 

21  tion  may  be  disclosed  to  a  governmental  authority  to 

22  the  extent  necessaiy  to  determine  the  individual's 

23  eligibility  for,  and  to  obtain,  payment  under  a  gov- 

24  ernmental  program  for  health  care  services  provided 

25  to  the  patient.  The  information  may  also  be  dis- 
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1  closed  to  another  provider  of  health  care  or  health 

2  care  senice  plan  as  necessaiy  to  assist  the  other 

3  pro^'ider  or  health  care  senice  plan  in  obtaining  pay- 

4  ment  for  health  care  senices  rendered  by  that  pro- 

5  ^ider  of  health  care  or  health  care  sendee  plan  to  the 

6  patient.  , 

7  (d)  ]\IODEL  IXF0E]\IED  CONSENT. — The  Secretars^,  in 

8  consultation  vdth  the  Director  of  the  Office  of  Health  In- 

9  formation  Pri^^acv,  after  notice  and  opportunity  for  public 

10  comment  in  accordance  ^^ith  section  553  of  title  5,  United 

1 1  States  Code,  shall  develop  and  disseminate  model  ™tten 

12  informed  consents  of  the  tA^e  described  in  this  section, 

13  wliich  represent  informed  consent  fi^om  the  subject  of  such 

14  personal  health  information  that  satisfies  the  require- 

15  ments  of  this  section,  and  model  statements  of  the  limita- 

16  tions  on  informed  consents.  Any  informed  consent  ob- 

17  tained  on  a  model  informed  consent  form  under  this  sec- 

18  tion  developed  by  the  Secretaiy  pursuant  to  the  preceding 

19  sentence  shall  be  deemed  to  satisfy  the  requirements  for 

20  an  informed  consent  under  this  section. 

21  (e)  Segregation  of  Files. — A  health  information 

22  person  shall  comply  with  the  request  of  an  individual  who 

23  is  the  subject  of  personal  health  information — 
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1  (1)  to  hide,  mask,  or  mark  separate  any  type  or 

2  amount  of  personal  health  information  held  by  the 

3  person;  and 

4  (2)  to  limit  the  use  or  disclosure  of  the  seg- 

5  reg'ated  health  information  mthin  the  person  to 

6  those  specifically  designated  by  the  subject  of  the 

7  personal  health  information.  i     .  . 

8  (f)  Revocation  OF  Informed  Consent. —  • 

9  (1)  In  general. — ^An  indiwlual  may  revoke  or 

10  amend  in  witing  an  informed  consent  under  this 

11  section  at  any  time,  unless  the  disclosure  that  is  the 

12  subject  of  the  consent  is  required  to  effectuate  pay- 

13  ment  for  health  care  that  has  been  provided  to  the 

14  indi\adual  and  for  which  the  individual  has  declined 

15  or  refused  to  pay  from  the  individual's  own  funds. 

16  (2)  IIe^\lth  plan. — ^With  respect  to  a  health 

17  plan,   the   informed   consent   of  an   indi^ddual  is 

18  deemed  to  be  revoked  at  the  time  of  the  cancellation 

19  or  non-renewal  of  enrollment  in  the  health  plan,  ex- 

20  cept  as  may  be  necessary  to  complete  plan  adminis- 

21  tration  and  payment  requirements  related  to  the  in- 

22  dividual' s  period  of  enrollment. 

23  (g)  Record  of  iNDmDUAL's  Informed  Consents 

24  and  Revocations. — Each  person  accessing,  maintaining, 

25  retaining,  modifying,  recording,  storing,  destroying,  or 

•HR  5442  IH  'T;^      :  ,  - 


•  47 

1  otherwise  using  personally  identifiable  or  personal  health 

2  information  for  purposes  of  treatment  or  payment  shall 

3  maintain  a  record  for  a  period  of  6  years  of  each  informed 

4  consent  by  an  indiAidual  and  any  revocation  thereof,  and 

5  such  record  shall  become  part  of  the  indi\iduars  health 

6  record  set.  •  , 

7  SEC.  123.  INFORMED  CONSENT  AND  AUTHORIZATION  FOR 

8  DISCLOSURE  OF  PERSONAL  HEALTH  INFOR- 

9  MATION  OTHER  THAN  FOR  TREATMENT  OR 

10  PAYMENT. 

11  (a)  In  GENERxy:^. — health  information  person  that 

12  seeks  to  disclose  personal  health  information  for  a  purpose 

13  other  than  treatment  or  payment  shall  obtain  informed 

14  consent.  Such  consent  under  this  section  shall  be  separate 

15  from  an  informed  consent  provided  under  section  122. 

16  (b)  Limitation  on  Authorizations. — person 

17  subject  to  section  122  may  not  condition  the  deliver}^  of 

18  treatment,  or  payment  for  semces,  on  the  receipt  of  an 

19  informed  consent  or  authorization  described  in  this  sec- 

20  tion. 

21  (c)  Model  Informed  Consents  and  Authoriza- 

22  TIONS. — The  Secretary,  in  consultation  wdth  the  Director 

23  of  the  Office  of  Health  Information  Privacy,  after  notice 

24  and  opportunity  for  public  comment  in  accordance  \mth 

25  section  553  of  title  5,  United  States  Code,  shall  develop 
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1  and  disseminate  model  informed  consents  of  the  type  de- 

2  scribed  in  subsection  (a)  and  written  authorizations  of  the 

3  type  described  in  subsections  (d)  and  (e).  Any  consent  or 

4  authorization  obtained  on  a  respective  model  form  shall 

5  be  deemed  to  meet  the  requirements  under  the  respective 

6  subsection.  ;o  ;  <  * 

7  (d)  Requirement  of  Separate,  Additional  Au- 

8  THORIZATION  FOR  PERSONNEL  DECISIONS. — ^A  health  in- 

9  formation  person  subject  to  section  122  may  not  disclose 

10  personal  health  information  to  any  employees  or  agents 

1 1  who  are  responsible  for  making  employment,  work  assigii- 

12  ment,  or  other  personnel  decisions  mth  respect  to  the  sub- 

13  ject  of  the  information  without  a  separate,  additional  writ- 

14  ten  authorization  permitting  such  a  disclosure.  -  s 

15  (e)  Requirement  of  Separate,  Additional  Au- 

16  THORIZATION  FOR  MARIvETING. —  =  >■ 

17  (1)  In  general. — ^A  health  information  person 

18  may  not  disclose  personal  health  information  for 

19  marketing  purposes  wdthout  a  separate,  additional 

20  written  authorization  permitting  such  a  disclosure. 

21  (2)  Requirements. — In  the  case  of  a  disclo- 

22  sure  of  personal  health  information  for  marketing 

23  purposes,  a  separate  authorization  required  by  para- 

24  graph  (1),  to  be  valid,  shall —  ; 
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1  CA)  state  that  ijiie  pmpose  of  the  clisclo- 

2  siu'v  is  for  ■  "marketing"; 

3  B    state  that  the  piirj^ose  of  the  use  or 

4  disclosure  irrrolved  is  marketing: 

5  t_     Inscribe  the  specilie  marketuig  uses 

6  and  disclosiu'es  auth-jrize'l.  iiichichng  whether 

7  the  personal  health  infijrmati'jn  in^'oh'ed — 

8  "    -  ■     (i)  may  be  used  for  piu^joses  internal 

9  -     to  the  person: 

10  tii)  may  be  chsclosed  to.  and  used  by, 

11  a  business  associate  'jf  the  person:  and 

12  .   ...  ■  (  iiii  may  be  disclosed  to,  and  used  by, 

13  any  person  or  entire'  other  than  a  business 

14  associate  of  the  person:  and 

15  iD)  state  that  the  ttse  or  chsclosur-e  ijf  per- 

16  sonai  healtli  infc'rmati'jn  fjr  marketing  ".-^dll  'h- 

17  rectly  result  in  remuneration  to  the  per.-"i.  ii  '  an 

18  a  third  paiT^'.  in  any  case  in  which  a  pt-rs'jn  ex- 

19  peets.  or  reasonably  should  exjject.  that  such  re- 

20  muneration  v^iR  occiu-. 

21  '  ^i- .  (3)  ]\L\EKETLVr:r  DEFIXED.  

22  'A'  Ix  (jEXERal. — In  this  subsection,  the 

23  term  ■■manketing"  is  a  coromimication  about  a 

24  product  or  service  a  pm-jjose  of  which  is  to  en- 

25  courage  recipients  of  the  eormn  imication  to  pui'- 
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1  chase  or  use  the  product  or  sendee  in  return  for 

2  direct  or  indirect  compensation. 

3  (B)  Exclusions. — 

4  (i)  In  general. — Subject  to  clause 

5  (ii),  such  term  excludes  the  following  ex- 

6  ceptions: 

7  (I)  Comnmnications  made  by  per- 

8  son  for  the  purpose  of  describing  the 

9  entities  participating  in  a  provider 

10  network  or  health  plan  network,  and 

11  communications  made  by  a  person  for 

12  the  purpose  of  describing  if  and  the 

13  extent  to  which  a  product  or  sendee, 

14  or  payment  for  a  product  or  service,  is 

15  pro\dded  by  the  person  or  included  in 

16  a  benefit  plan. 

17  (II)  Communications  tailored  to 

18  the  circumstances  of  a  particular  indi- 

19  vidual,  made  by  a  health  care  provider 

20  to  an  indi\ddual  as  part  of  the  treat- 

21  ment  of  the  indi^ddual,  and  for  the 

22  purpose  of  furthering  the  treatment  of 

23  that  indi\idual. 

24  (III)  Communications  tailored  to 

25  the  circumstances  of  a  particular  indi- 
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1  •       ■      \idual  and  made  by  a  health  care  pro- 

2  -       ^ider  or  heahh  plan  to  an  indhidual 

3  in  the  course  of  managing  or  coordi- 

4  /XOi^^;     nating  the  treatment  of  that  mdi- 

5  .  ;ay  ;       vidual  or  for  the  purpose  of  directing 

6  ^  :       or  recommending  to  that  hidi^idual  al- 

7  '.r-  i  ';:-      ternative  treatments,  therapies,  pro- 

8  adders,  or  settings  of  care. 

9  ■  ■  (h)  Exception. — Clause  (i)  shall  not 

10  ••  apply,  and  a  communication  shall  be  con- 

11  sidered  marketing,  if  a  person  receives  di- 

12  rect  or  indirect  remuneration  from  a  third 

13  party  for  making  a  mitten  communication 

14  othendse  described  in  subclause  (I),  (II), 

15  or  (III)  of  such  clause. 

16  (f)  Requirement  To  Release  Personal  He.\lth 

17  Intor:\l\tion  to  Coronters  and  IVIedical  Exajm- 

18  INERS. —  ■             '  "■ 

19  (1)  In  general. — ^\Mien  a  coroner  or  medical 

20  examiner  or  their  duly  appointed  deputies  seek  per- 

21  sonal  health  information  for  the  purpose  of  inquiiy 

22  into  and  determination  of,  the  cause,  manner,  and 

23  circumstances  of  an  individual's  death,  the  health  in- 

24  formation  person  shaU  provide  that  individual's  per- 

25  sonal  health  information  to  the  coroner  or  medical 
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1  examiner  or  to  the  duly  appointed  deputies  without 

2  undue  delay  or  consent  by  the  deceased  individual's 

3  representative. 

4  (2)  Production  of  additional  informa- 

5  TION. — If  a  coroner  or  medical  examiner  or  their 

6  duly  appointed  deputies  receives  health  information 

7  from  a  person  referred  to  in  paragraph  (1),  such 

8  health  information  shall  remain  as  personal  health 

9  information  unless  the  health  information  is  at- 

10  tached  to  or  othe™se  made  a  part  of  a  coroner's  or 

11  medical  examiner's  official  report,  in  which  case  it 

12  shall  no  longer  be  protected. 

13  (3)  Exemption. — Health  information  attached 

14  to  or  otherwise  made  a  part  of  a  coroner's  or  med- 

15  ical  examiner's  official  report  shall  be  exempt  from 

16  the  pro\^sions  of  this  title  except  as  provided  for  in 

17  this  subsection. 

18  (4)  Reimbursement. — A  person  referred  to  in 

19  paragi^aph  (1)  may  request  reimbursement  from  a 

20  coroner  or  medical  examiner  for  the  reasonable  costs 

21  associated  mth  inspection  or  cop,>dng  of  personal 

22  health  information  maintained,  retained,  or  stored 

23  by  such  person. 

24  (g)  Revocation  or  Ajviendment  of  Consent  or 

25  Authorization. — ^An  individual  may  revoke  or  amend  in 
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1  ^ATitino:  an  informed  consent  or  authorization  under  tliis 

2  section  at  any  time.  ■■    >  ■ 

3  (li)  Actions. — It  shall  not  be  a  violation  of  this  title 

4  with  respect  to  the  cUsclosure  of  personal  health  informa- 

5  tion —  '--      ^-  ^              ■      '  ■  - 

6  (1)  if  the  chsclosure  was  made  based  on  a  good 

7  faith  rehance  on  the  inchAi dual's  informed  consent  or 

8  authorization  under  this  section  at  the  time  disclo- 

9  sui^e  was  made: 

10  (2)  in  a  case  in  wliich  the  consent  or  authoriza- 

11  tion  is  revoked,  if  the  disclosing  person  had  no  ac- 

12  tual  or  constructive  notice  of  the  revocation:  or 

13  (3)  if  the  disclosure  Avas  for  the  purpose  of  pro- 

14  tecting  another  individual  fi^om  inuninent  physical 

15  harm  and  is  authorized  under  section  141. 

16  (i)  Record  of  Consents,  Authorizations,  axd 

17  Revocations. — Each  person  accessing,  maintaining,  re- 

18  taining.  modifying,  recording,  storing,  destroving.  or  oth- 

19  ei^wise  using  personally  identifiable  or  personal  health  in- 

20  formation  for  purposes  other  than  treatment  or  payment 

21  shall  maintain  a  record  for  a  period  of  6  years  of  each 

22  uiformed  consent  and  authorization  by  an  individual  and 

23  any  revocation  thereof,  and  such  record  sliaU  become  part 

24  of  the  hichAiduars  health  record  set. 
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1  CHAPTER  2— EXCEPTIONS 

2  SEC.    131.   DISCLOSURE   FOR   LAW   ENFORCEMENT,  NA- 

3  TIONAL  SECURITY,  AND  INTELLIGENCE  PUR- 

4  POSES. 

5  (a)  Ac;cESS  to  Persons.  Heai.th  Information 


6  FOR  Law  Enforcement,  National  Security,  and  In- 

7  teeligence  AcTmTiES. — health  information  person, 

8  or  a  person  who  receives  personal  health  information  pur- 

9  snant  to  section  131,  may  disclose  personal  health  infor- 
10  mation  to — 


11  (1)  an  investi^i^ative  or  law  enforcement  officer 

12  (as  defined  in  subsection  (k))  pursuant  to  a  warrant 

13  issued  under  the  Federal  Rules  of  Criminal  Proce- 

14  dure,  an  equivalent  State  warrant,  a  grand  jury  sub- 

15  poena,  ci\al  subpoena,  civil  investigative  demand,  or 

16  a  court  order  under  limitations  set  forth  in  sub- 

17  section  (b);  and 

18  (2)  an  authorized  Federal  official  for  the  con- 

19  duct  of  lawful  intelligence,  counter-intelligence,  and 

20  other  national  security  activities  authorized  by  the 

21  National  Security  Act  (50  U.S.C.  401  et  seq.)  and 

22  implementing  authority  (Executive  Order  12333),  or 

23  otherwise  by  law.  ' 
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1  (b)  Lbiitation  ox  UvSE  and  Disclosure  for  Xa- 

2  TioxAL  Security,  Intelligence,  and  Other  Law  En- 

3  FORCE^^IENT  INQUIRIES. — 

4  (1)  In  GENEPvAL. — Personal  health  information 

5  about  an  inchAidual  that  is  chselosecl  imder  this  sec- 

6  tion  may  not  be  used  in.  or  chselosed  to  any  entity 

7  for  use  m.  any  administrative,  ei^il.  or  criminal  ae- 

8  tion  or  investigation  directed  agamst  the  inch^idual, 

9  unless  the  action  or  investigation  arises  out  of.  or  is 
10  directly  related  to.  the  law  enforcement,  national  se- 
ll curit^'.  or  inteUigence  inquiiy  for  Avhicli  the  uiforma- 

12  tion  was  obtained. 

13  (2)  Law  enforce^ient  inquiry  defin'ed. — 

14  Li  paragraph  (1).  the  term  "law  enforcement  in- 

15  quu^"'"  means  a  la^vfiil  executive  branch  investigation 

16  or  official  proeeeduig  inquiring  mto  a  violation  of.  or 

17  failure  to  comply  vitli.  any  crimmal  or  ci^il  statute 

18  or  any  regulation,  rale,  or  order  issued  piu\suant  to 

19  such  a  statute. 

20  (c)  Redactions. — To  the  maximum  extent  prac- 

21  ticable,  and  consistent  ^Aith  the  requirements  of  due  proc- 

22  ess.  a  law  enforcement  agency  shah  redact  personally  iden- 

23  tiffing  information  fiTjm  personal  health  information  prior 

24  to  the  pu1)lic  chsclosure  of  such  protected  information  in 

25  a  judicial  or  administrative  proceeding. 
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1  (d)  Exception. — This  section  shall  not  be  constraed 

2  to  limit  or  restrict  the  ability  of  law  enforcement  authori- 

3  ties  to  gain  information  while  in  hot  pursuit  of  a  suspect 

4  or  if  other  exigent  circumstances  exist. 

5  (e)  Investigative  or  Law  Enforcement  Officer 

6  Defined. — In  this  section,  the  term  "investigative  or  law 

7  enforcement  officer"  means  any  officer  of  the  United 

8  States  or  of  a  State  or  political  subdivision  thereof,  who 

9  is  empowered  by  law  to  conduct  investigations  of,  or  to 

10  make  arrests  for,  civil  or  criminal  offenses,  and  any  attor- 

11  ney  authorized  by  law  to  prosecute  or  participate  in  the 

12  prosecution  of  such  offenses.  :  =    :  -  ; 

1 3  SEC.  132.  DISCLOSURE  FOR  PUBLIC  HEALTH  PURPOSES. 

14  (a)  In  Generai.. — health  information  person  may 

15  disclose  personal  health  information  to  a  public  health  au- 

16  thority  (as  defined  in  section  171(24))  or  other  entity  au- 

17  thorized  by  public  health  law,  when  receipt  of  such  infor- 

1 8  mation  by  the  authority  or  other  entity — 

19  (1)  relates  directly  to  a  specified  public  health 

20  purpose; 

21  (2)  is  reasonably  likely  to  achieve  such  purpose; 

22  and 

23  (3)  is  intended  for  a  purpose  that  cannot  be 

24  achieved  through  the  receipt  or  use  of  de-identified 

25  health  information. 
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1  (b)  Public  Health  Protection  Defined. — For 

2  purposes  of  subsection  (a),  tlie  term  ''public  health  pm-- 

3  pose"  means  a  poiDuiation-based  acthit^^  or  individual  ef- 

4  fort,  authorized  by  law.  the  puipose  of  which  is  the  preven- 

5  tion  of  injuiy.  disease,  or  prematui'e  mortaht^-,  or  the  pro- 

6  motion  of  health,  in  a  conununitA',  including — 


7  (1)  assessing  the  health  needs  and  status  of  the 

8  community'  thi^ough  pubhc  health  sm-^Tillance  and 

9  epidemiological  research: 

10  (2)  implementing  pubhc  health  pohcy; 

11  (3)  resj^onding  to  pubhc  health  needs  and  emer- 

12  gencies;  and  - 

13  (4)  any  other  activities  or  efforts  authorized  by 

14  law. 

15  (e)  Ldhtations. — The  purpose  of  the  disclosm^  de- 


16  scribed  in  subsection  (a)  shaU  be  of  significant  unportance 

17  such  that  it  waiTants  the  potential  effect  on.  or  risk  to, 

18  the  privacy  of  individuals  that  the  additional  exj30smT  of 

19  personal  health  information  might  l3ring.  Any  infi^inge- 

20  ment  on  the  right  to  privacy  under  this  section  shall  use 

21  the  least  intmsive  meajis  that  ai'e  tailored  to  minimize  in- 

22  tnision  on  the  right  to  privacy. 
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1  SEC.  133.  REPORTING  OF  ABUSE  AND  NEGLECT  TO  PRO- 

2  TECTION  AND  ADVOCACY  AGENCIES. 

3  Ally  health  information  person  may  disclose  personal 

4  health  information  to  a  protection  and  advocacy  agency 

5  established  nnder  part  C  of  title  I  of  the  Developmental 

6  Disabilities  Assistance  and  Bill  of  Rights  Act  (42  U.kS.C. 

7  6041  et  seq.)  or  nnder  the  Protection  and  Advocacy  for 

8  Mentally  111  Indiwlnals  Act  of  1986  (42  U.S.C.  10801  et 

9  seq.)  when  such  person  reasonably  believes  that  an  indi- 

10  ^ddnal  who  is  the  subject  of  the  personal  health  informa- 

1 1  tion  is  vulnerable  to  abuse  and  neglect  by  an  entity  pro- 

12  viding  health  or  social  services  to  the  individual. 

13  SEC.  134.  DISCLOSURE  TO  NEXT  OF  KIN  AND  DIRECTORY 

14  INFORMATION. 

15  (a)  Next  of  Kin. — ^A  health  care  provider,  or  a  per- 

16  son  that  receives  personal  health  information  under  sec- 

17  tion  141,  may  disclose  personal  health  information  about 

18  health  care  sei-vices  provided  to  an  individual  to  the  indi- 

19  vidual's  next  of  kin,  or  to  another  entity  that  the  indi- 

20  \ddual  has  identified,  if  at  the  time  of  the  treatment  of 

21  the  individual — 


22  (1)  the  indi^ddual — 

23  (A)  has  been  notified  of  the  individual's 

24  right  to  object  to  such  disclosure  and  the  indi- 

25  \idual  has  not  objected  to  the  disclosure;  or 
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1  iB)  is  in  a  physical  or  mental  condition 

2  such  that  the  unii^idnal  is  not  capable  of  ol^ject- 

3  ing.  and  there  are  no  prior  inchcations  tliat  the 

4  iniiividnal  would  object:  and 

5  (2)  the  infoiination  disclosed  is  relevant  to 

6  health  cai^e  seiTices  eiuTently  Ijeing  pr-j^ided  to  that 

7  individual. 

8  (b)  DiRECTOEY  IXFuRAiATlLiX. — 

9  Dlsclosi'^re. — 

10  (A)  Ix  CxEXERAL.. — Except  as  provided  ia 

11  pai*agraph  (2).  with  respect  to  an  in;h\idnal 

12  who  is  achnitted  as  an  inx^atient  to  a  health  eai^e 

13  lachity.  a  person  described  ui  subsection  (a) 

14  may  disclose  int'omiation  descriljed  ui  siibpara- 

15  graph  iB'  abont  the  indn^idnal  to  any  entit^'  if, 

16  at  the  tune  of  the  a>hnission.  the  indiWdual — 

17  i.i  i  has  been  notified  of  the  uich^id- 

18  ual's  light  to  object  and  has  not  objected 

19  to  the  disclosure:  or 

20  (ii)  is  in  a  physical  or  mental  conch- 

21  -  "       tion  such  that  the  uich^idnai  is  not  capable 

22  of  objecting  and  there  are  no  prior  indica- 

23  tions  that  the  individual  wonld  object. 
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1  (B)  Infori^IATION. — Information  described 

2  in  this  subparagraph  is  information  that  con- 

3  sists  only  of  1  or  more  of  the  following  items: 

4  (i)  The  name  of  the  individual  who  is 

5  the  subject  of  the  information. 

6  (ii)  The  general  health  status  of  the 

7  individual,  described  as  critical,  poor,  fair, 

8  stable,  or  satisfaetoiy  or  in  terms  denoting 

9  similar  conditions. 

10  (iii)  The  location  of  the  individual 

11  \^dthin  the  health  care  facility  to  which  the 

12  indi^ddual  is  admitted. 

13  (2)  Exception. — Paragi^aph  (l)(B)(iii)  shall 

14  not  apply  if  disclosure  of  the  location  of  the  indi- 

15  vidual  would  reveal  specific  information  about  the 

16  physical  or  mental  condition  of  the  indi^adual,  unless 

17  the  individual  expressly  authorizes  such  disclosure. 

18  (c)  Directory  or  Next-of-Kin  Information. — 


19  disclosure  may  not  be  made  under  this  section  if  the  dis- 

20  closing  person  described  in  subsection  (a)  has  reason  to 

21  believe  that  the  disclosure  of  directory  or  next-of-kin  infor- 

22  mation  could  lead  to  the  physical  or  mental  harm  of  the 

23  indi\ddual,  unless  the  individual  expressly  authorizes  such 

24  disclosure. 
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1  CHAPTER  3— SPECL4L  CIRCUIVISTANCES 

2  SEC.  141.  E3IERGE>XY  CmCOISTA>XES. 

3  (a)  CtEXERal  RrLE. — Iii  the  eveiiT  of  a  tiii-eat  of  im- 

4  miiient  physical  or  meutal  harm  to  the  subject  of  personal 

5  health,  information,  any  person  may.  in  orcler  to  aUay  or 

6  remedy  such  thivat.  disclose  personal  health  information 

7  al^oiit  such  siibiect  to  a  health  care  provider,  health  care 

8  facihty.  law  enforcement  aiithuritA-.  or  emerg'eney  meidical 

9  personnel,  to  the  minimum  extent  necessaiy  and  only  if 
10  deteiinined  appropriate  by  a  health  care  provider. 


11  (Id)  Haeai  Tu  Othees. — ^Any  person  may  chsclose 

12  personal  health  uiformation  abuiit  the  subject  of  the  infor- 

13  mation  where —  -          -    -  .- w 

14  il)  stich  subject  has  made  an  identifiable  threat 

15  of  serions  injmy  or  death  vvitli  respect  to  an  identifi- 

16  able  individual  or  gi'oup  of  individuals: 

17  (2)  the  subject  has  the  abiht}-  to  cany  out  such 

18  threat:  and 

19  (3)  the  release  of  such  information  is  necessaiy 

20  to  prevent  or  sigTiificantly  reduce  the  possibiht^-  of 

21  such  tVireat  Viomg  carried  out. 

22  SEC.  142.  HEALTH  RESEARCH. 

23  (a)  Eegi-latioxs. — 

24  1 1  •  Ix  itEXEILil. — The  rec|uu^emeiits  and  pro- 

25  tections  provided  for  under  pan:  46  of  title  45,  Code 
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1  of  Federal  Regulations  (as  in  effect  on  the  date  of 

2  enactment  of  this  Act),  shall  apply  to  all  health  re- 

3  search. 

4  (2)  Effective  date. — Paragraph  (1)  shall  not 

5  take  effect  until  the  Secretaiy  has  promulgated  final 

6  reg-ulations  to  implement  such  paragraph. 

7  {h)  EViVLUATiON. — Not  later  than  24  months  after 

8  the  date  of  the  enactment  of  this  Act,  the  Secretary^  shall 

9  prepare  and  submit  to  Congress  detailed  recommendations 

10  on  whether  informed  consent  should  be  required,  and  if 

11  so,  under  what  circumstances,  before  personal  health  in- 

12  formation  can  be  used  for  health  research. 

13  (c)  Recommendations. — The  recommendations  re- 

14  quired  to  be  submitted  under  subsection  (b)  shall  in- 

15  elude— 

16  (1)  a  detailed  explanation  of  current  institu- 

17  tional  review  board  practices,  including  the  extent  to 

18  which  the  privacy  of  individuals  is  taken  into  ac- 

19  count  as  a  factor  before  allowing  waivers  and  under 

20  what    circumstances    informed    consent    is  being 

21  waived; 

22  (2)  a  list  of  all  kno^^^l  breaches  of  health  infor- 

23  mation  privacy  over  the  past  5  years  in  research 

24  projects  approved  by  an  institutional  review  board; 
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(3)  a  siimniaiy  of  how  Teeliiiol'jgy  that  both  fa- 
eihtates  research  and  presences  privacy  could  be 
used  Tij  obtam  uif'oiTaecl  ciaisent  and  strip  identi- 
fying data  for  the  piupose  of  research: 

(  4i  an  analysis  of  State  and  Federal  laivs.  med- 
ical etliics.  and  etlhcs  in  the  perfonnance  of  health 
research  that  examines  reqiiir-ements  for  the  receipt 
of  informed  consent:  and 

(5)  an  analA^sis  of  the  risks  and  benefits  of  al- 
lo\\mg  indi^idtials  to  consent  or  to  refuse  to  consent, 
at  the  tune  of  receiving  mechcal  treatment,  to  the 
possible  fixture  use  of  records  of  mechcal  treatments 
for  research  smches. 

(d)  CoxsixtatkjX. — In  earning  out  this  sec-tion. 
the  Secretaiy  shaU  consult  Avith  inchviduals  who  have  chs- 
tingiiished  themselves  m  the  fields  of  health  research,  pri- 
vacy, related  technology  mclucling  electnjiiic  consent  man- 
agement tools,  comsumer  interests  in  health  information, 
health  data  standards,  and  the  provision  of  health  senices. 

fe)  CoxGRESSioxAL  Notice. — Not  later  than  6 
months  afier  the  date  on  wliich  the  Secretaiy  submits  to 
Congress  the  recormnendati(jns  required  imder  subsection 
iji.  the  Secretaiy  shaU  propose  to  implement  such  rec- 
ommendations thi^ough  regulations  promulgated  on  the 
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1  record  after  opportunity  for  a  hearing,  and  shall  advise 

2  the  Congress  of  such  proposal. 


3  (f)  Other  Requirements. — 

4  (1)  Obligations  of  the  recipient. — per- 

5  son  who  receives  personal  health  information  pursu- 

6  ant  to  this  section  shall  remove  or  destroy,  at  the 

7  earliest  opportunity  consistent  with  the  purposes  of 

8  the  project  involved,  information  that  would  enable 

9  an  individual  to  be  identified,  unless — 

10  (A)  an  institutional  review  board  has  de- 

1 1  termined  that  there  is  a  health  or  research  jus- 

12  tification  for  the  retention  of  such  identifiers; 

13  (B)  an  institutional  review  board  has,  to 

14  the  maximum  extent  practicable,  attempted  to 

15  contact  the  indi\ddual  to  whom  the  identifiers 

16  relate; 

17  (C)  upon  being-  contacted  pursuant  to  sub- 

18  paragraph  (B),  the  individual  does  not  object  to 

19  the  retention  of  such  identifiers;  and 

20  (D)  there  is  an  adequate  plan  to  protect 

21  the  identifiers  from  disclosure  consistent  with 

22  this  section. 

23  (2)  Periodic  review  and  technical^  assist- 

24  ANCE. —  .■ 
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1  (A)  Institutional  rewew  boaed. — ^Aiiy 

2  institutional  review  board  that  authorizes  re- 

3  search  under  tliis  section  shall  provide  the  Sec- 

4  retaiy  ^^ith  the  names  and  addresses  of  the  in- 

5  stitutional  review  board  members. 

6  (B)  Technical  assistance. — The  Sec- 

7  retar}^  shall  provide  teclniical  assistance  to  insti- 

8  tutional  re^dew  boards  described  in  tliis  sub- 

9  section. 

10  (C)  Monitoring. — The  Secretaiy  shall  pe- 
ll riodicallv  monitor  institutional  review  boards 

12  described  in  tliis  subsection,  including  \\ith  re- 

13  spect  to  the  privacy,  security,  and  confiden- 

14  tialitj"  practices  of  such  boards. 

15  (D)  Reports. — Not  later  than  3  years 

16  after  the  date  of  enactment  of  this  Act,  the  Sec- 

17  retar}^  shall  report  to  Congxess  regarding  the 

18  activities   of  institutional   re\dew  boards  de- 

19  scribed  in  this  subsection. 

20  (g)  LmiTATiON. — Nothing  in  this  section  shah  be 


21  constmed  to  permit  personal  health  information  that  is 

22  received  by  a  researcher  under  this  section  to  be  accessed 

23  for  purposes  other  than  research  or  as  authorized  by  the 

24  individual  that  is  the  subject  of  such  personal  health  infor- 

25  mation. 
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1  SEC.  143.  HEALTH  OVERSIGHT  FUNCTIONS. 

2  (a)  In  General. — health  mformation  person  may 

3  disclose  personal  health  information  to  a  health  oversight 

4  agency  (as  defined  in  section  171(16))  to  enable  the  agen- 

5  cy  to  perform  a  health  oversight  function  authorized  by 

6  law,  if — 


7  ( 1 )  the  purpose  for  which  the  disclosure  is  to  be 

8  made  cannot  reasonably  be  accomplished  without 

9  personal  health  information; 

10  (2)  the  purpose  for  which  the  disclosure  is  to  be 

11  made  is  of  sufficient  importance  to  warrant  the  ef- 

12  feet  on,  or  the  risk  to,  the  privacy  of  the  individuals 

13  that  additional  exposure  of  the  information  might 

14  bring;  and 

15  (3)  there  is  a  reasonable  probability  that  the 

16  purpose  of  the  disclosure       be  accomphshed. 

17  (b)  Use  and  Maintenance  of  Personal  Health 

18  Information. — health  oversight  agency  that  receives 

19  personal  health  information  under  subsection  (a) — 

20  (1)  shall,  to  the  maximum  extent  practicable, 

21  obtain  the  informed  consent  of  the  individual  to 

22  whom  the  personal  health  information  relates  before 

23  using  or  disclosing  the  information; 

24  (2)  shall  secure  personal  health  information  in 

25  all  work  papers  and  all  documents  sunnnarizing  the 

26  health  oversight  activity  through  technological,  ad- 
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1  niinistrative,  and  physical  safe^ards  including  cryp- 

2  togTaphic-key  based  enci-Aption; 

3  (3)  shall  maintain  in  its  records  only  such  infor- 

4  mation  about  an  indi^idual  as  is  relevant  and  nec- 

5  essar}^  to  accomplish  the  purpose  for  which  the  per- 

6  sonal  health  information  was  obtained; 

7  (4)    using   appropriate    encr\"ption  measures. 

8  shall  maintain  such  information  securely  and  limit 

9  access  to  such  information  to  those  persons  with  a 

10  legitimate  need  for  access  to  cany  out  the  purpose 

11  for  which  the  records  were  obtained;  and 

12  (5)  shall  remove  or  destroy  the  infonnation  that 

13  allows  subjects  of  personal  health  information  to  be 

14  identified  at  the  earliest  time  at  which  removal  or 

15  destmction  can  be  accomphshed,  consistent  ^\dth  the 

16  purpose  of  the  health  oversight  activity. 

17  (c)  Authorization  by  a  Supervisor. — For  pur- 

18  poses  of  this  section,  the  individual  '\ith  authority  to  au- 

19  thorize  the  oversight  function  involved  shall  provide  to  the 

20  disclosing  person  described  in  subsection  (a)  a  statement 

21  that  the  personal  health  information  is  being  sought  for 

22  a  legally  authorized  oversight  function. 

23  SEC.  144.  INDIVroUAL  REPRESENTATIVES. 

24  (a)  Ix  General. — Except  as  provided  in  subsections 

25  (b)  and  (c),  a  person  who  is  authorized  by  law  (based  on 
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1  gi'ouiids  other  than  an  individual's  status  as  a  minor),  or 

2  by  an  instrument  recognized  under  law,  to  act  as  an  agent, 

3  attorney,  proxy,  or  other  legal  representative  of  an  indi- 

4  vidual,  may,  to  the  extent  so  authorized,  exercise  and  dis- 

5  charge  the  rights  of  the  individual  under  this  title. 

6  (b)  Health  Care  Power  of  Attorney. — person 

7  who  is  authorized  by  law  (based  on  grounds  other  than 

8  being  a  minor),  or  by  an  instrument  recognized  under  law, 

9  to  make  decisions  about  the  provision  of  health  care  to 

10  an  individual  who  is  incapacitated,  may  exercise  and  dis- 

11  charge  the  rights  of  the  individual  under  this  title  to  the 

12  extent  necessary  to  effectuate  the  terms  or  purposes  of 

13  the  grant  of  authority. 

14  (c)  Individuals  Suffering  From  Certain  Med- 

15  ICAL  Conditions. — If  a  physician  or  other  health  care 

16  provider  determines  that  an  individual,  who  has  not  been 

17  declared  to  be  legally  incompetent,  suffers  from  a  medical 

18  condition  that  prevents  the  individual  from  acting  know- 

19  ingly  or  effectively  on  the  individual's  own  behalf,  the  right 

20  of  the  individual  to  access  or  amend  the  health  informa- 

21  tion  and  to  authorize  disclosure  under  this  title  may  be 

22  exercised  and  discharged  in  the  best  interest  of  the  indi- 

23  ^ddual  by —  "  " 

24  (1)  a  person  described  in  subsection  (b)  with  re- 

25  spect  to  the  individual; 
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1  (2)  a  person  described  iii  subsection  (a)  mth  re- 

2  spect  to  the  indi^ddnal,  but  only  if  a  person  de- 

3  scribed  in  paragi^aph  (1)  cannot  be  contacted  after 

4  a  reasonable  effort  or  if  there  is  no  indi"\ddual  who 

5  fits  the  description  in  paragraph  (1); 

6  (3)  the  next  of  kin  of  the  mdiridual,  but  only 

7  if  a  person  described  m  paragTaph  (1)  or  (2)  camiot 

8  be  contacted  after  a  reasonable  effort;  or 

9  (4)  the  health  care  prorider,  but  only  if  a  per- 

10  son  described  hi  paragi^aph  (1),  (2),  or  (3)  camiot  be 

11  contacted  after  a  reasonable  effort. 

12  (d)  Rights  of  JMinors. — 

13  (1)  IXDRTDUALS  WHO  ARE  18  OR  LEGALLY  CA- 

14  PABLE. — In  the  case  of  an  indiridual — 

15  (A)  who  is  18  years  of  age  or  older,  aU 

16  rights  of  the  mdiridual  under  tliis  title  shall  be 

17  exercised  by  the  indiridual;  or 

18  (B)  who,   actmg  alone,  can  consent  to 

19  health  care  mthout  riolatiiig  am^  applicable  law, 

20  and  who  has  sought  such  care,  the  indiridual 

21  shall  exercise  all  rights  of  an  iiidiridual  under 

22  this  title  with  respect  to  personal  health  iiifor- 

23  niation  relating  to  such  health  care. 
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1  (2)  Individuals  under  is. — Except  as  pro- 

2  vided  in  paragraph  (1)(B),  in  the  case  of  an  indi- 

3  vidiial  who  is — 

4  (A)  under  14  years  of  age,  all  of  the  indi- 

5  vidual's  rights  under  this  title  shall  be  exercised 

6  through  the  parent  or  legal  guardian;  or 

7  (B)  14  through  17  years  of  age,  the  rights 

8  of  inspection,  supplementation,  and  modifica- 

9  tion,  and  the  right  to  authorize  use  and  disclo- 

10  sure  of  personal  health  information  of  the  indi- 

11  vidual  shah  be  exercised  by — 

12  (i)  the  individual  where  no  parent  or 

13  legal  guardian  exists; 

14  (ii)  the  parent  or  legal  guardian  of  the 

15  individual;  or 

16  (iii)  the  individual  if  the  parent  or 

17  legal  giiardian  determined  that  the  indi- 

18  vidual  has  the  sole  right  the  control  their 

19  health  information. 

20  (e)  Deceased  Individuals. — 

21  (1)  Application  of  act. — The  provisions  of 

22  this  title  shall  continue  to  apply  to  personal  health 

23  information  concerning  a  deceased  individual. 

24  (2)  Exercise  op  rights  on  behaijF  of  a  de- 

25  CEASED  individual. — ^A  person  who  is  authorized 
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1  by  law  or  by  an  instrument  recognized  under  law,  to 

2  act  as  an  executor  or  administrator  of  the  estate  of 

3  a  deceased  individual,  or  otherwise  to  exercise  the 

4  rights  of  the  deceased  individual,  may,  to  the  extent 

5  so  authorized,  exercise  and  discharge  the  rights  of 

6  such  deceased  individual  under  this  title.  If  no  such 

7  designee  has  been  authorized,  the  rights  of  the  de- 

8  ceased  individual  may  be  exercised  as  provided  for  in 

9  subsection  (c). 

10  (3)    Identification    of    deceased  indi- 

11  \n:DUAL. — person  described  in  section  136(a)  may 

12  disclose  personal  health  information  if  such  disclo- 

13  sure  is  necessary  to  assist  in  the  identification  of  a 

14  deceased  individual. 

15  Subtitle  D — Enforcement 

16  SEC.  151.  IN  GENERAL. 

17  (a)  Civil  PENiU^TY. — health  information  person 

18  who  the  Secretary,  in  consultation  with  the  Attorney  Gen- 

19  eral,  determines  has  substantially  and  materially  failed  to 

20  comply  with  this  title  shall  be  subject,  in  addition  to  any 

21  other  penalties  that  may  be  prescribed  by  law — 

22  (1)  in  a  case  in  which  the  violation  relates  to 

23  subtitle  A,  B,  or  C,  to  a  civil  penalty  of  not  more 

24  than  $500  for  each  such  violation,  but  not  to  exceed 

25  $5,000  in  the  aggregate  for  multiple  violations; 
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1  (2)  ill  a  case  in  which  the  ^dolation  relates  to 

2  subtitle  A,  B,  or  C,  to  a  civil  penalty  of  not  more 

3  than  $10,000  for  each  such  violation,  but  not  to  ex- 

4  ceed  $50,000  in  the  aggregate  for  multiple  viola- 

5  tions;  or 

6  (3)  in  a  case  in  which  such  violations  have  oc- 

7  curred  mth  such  frequency  as  to  constitute  a  gen- 

8  eral  business  practice,  to  a  civil  penalty  of  not  more 

9  than  $100,000. 

10  (b)  Civil  Action  by  iNDmouALS. — 

11  (1)  In  general. — ^Any  indiAddual  whose  rights 

12  under  subtitle  A,  B,  or  C  have  been  knowingly  or 

13  negligently  violated  may  bring  a  civil  action  to  re- 

14  cover — 

15  (A)  such  preliminary  and  equitable  relief 

16  as  the  court  determines  to  be  appropriate;  and 

17  (B)  the  gi'cater  of  compensatory  damages 

18  or  liquidated  damages  of  $5,000. 

19  (2)  Additional  remedies. — The  equitable  re- 

20  lief  or  damages  that  may  be  available  under  this  sec- 

21  tion  shall  be  in  addition  to  any  other  lawful  remedy 

22  or  award  that  may  be  available. 

23  SEC.  152.  ENFORCEMENT  BY  STATE  ATTORNEYS  GENERAL. 

24  (a)  Civil  Actions. — In  any  case  in  which  the  attor- 

25  ney  general  of  a  State  or  any  State  or  local  law  enforce- 
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1  ment  agency  authorized  by  the  State  attorney  general  or 

2  by  State  law  to  prosecute  violations  of  consumer  protee- 

3  tion  laws,  has  reason  to  believe  that  an  interest  of  the  resi- 

4  dents  of  that  State  has  been  or  is  threatened  or  adversely 

5  affected  Iw  the  engagement  of  a  person  in  a  practice  that 

6  is  prolubited  imder  stilititle  A.  B.  or  C.  the  State  or  lijcal 

7  law  enforcement  agency  on  behalf  of  the  residents  of  the 

8  agency" s  jtirisdictioii.  may  bring  a  civil  action  on  behalf 

9  of  the  residents  of  the  State  or  jurisdiction  in  a  district 

10  ecaut  of  the  United  States  of  appropriate  jnrischction  to — 

11  ill  enjoin  that  act  or  practice: 

12  i2)  enforce  comphaiice  with  the  respective  siib- 

13  title:  or 

14  1 3 1  obtain  civil  penalties  in  an  amount  cal- 

15  ctilated  by  nmltiphing  the  number  of  violations  by 

16  an  amount  not  greatt^r  than  SI  1.000. 

17  F<jr  pui^xises  of  civil  penalties  under  this  subsection,  each 

18  day  that  a  person  is  in  violation  of  the  rec|uirements  of 

19  subtitle  A.  B.  or  C  shaU  be  treated  as  a  separate  violation, 

20  up  to  a  maxinram  civil  penalty  of  -S5. 00 0.000. 

21  lb  I  Rule  of  Coxstructiox. — For  purposes  of 

22  bringing  any  civil  action  under  subsection  lai.  nothing  in 

23  tins  subtitle  regarding  notification  shaU  be  constmed  to 

24  prevent  an  attorney  general  of  a  State  fi'om  exercisuig  the 
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1  powers  conferred  on  such  attorney  general  by  the  laws  of 

2  that  State  to — 

3  (1)  conduct  investigations; 

4  (2)  administer  oaths  or  affirmations;  or 

5  (3)  compel  the  attendance  of  witnesses  or  the 

6  production  of  documentary  and  other  evidence. 

7  (c)  Venue;  Service  of  Process. — 

8  (1)  Venue. — ^Any  action  brought  under  sub- 

9  section  (a)  may  be  brought  in  the  district  court  of 

10  the  United  States  that  meets  applicable  require- 

11  ments  relating  to  venue  under  section  1391  of  title 

12  28,  United  States  Code. 

13  (2)    Ser^^ce    of    process. — In    an  action 

14  brought  under  subsection  (a),  process  may  be  served 

15  in  any  district  in  which  the  defendant — 

16  (A)  is  an  inhabitant;  or 

17  (B)  may  be  found. 

18  Subtitle  E — Miscellaneous 

19  SEC.  161.  OFFICE  OF  HEALTH  INFORMATION  PRIVACY. 

20  (a)  In  General. — The  Secretary  shall  designate  an 

21  office  within  the  Department  of  Health  and  Human  Serv- 

22  ices  to  be  known  as  the  Office  of  Health  Information  Pri- 

23  vacy  (referred  to  in  this  section  as  the  "Office").  The  Of- 

24  fice  shall  be  headed  by  a  Director,  who  shall  be  appointed 

25  by  the  Secretary. 
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1  (b)  Duties.— The  Dii-ector  of  the  Office  shaU— 

2  (1)  receh'e  and  mvestigate  complamts  of  alleged 

3  violations  of  this  title; 

4  (2)  i3rovide  for  the  conduct  of  audits  where  ap- 

5  propriate; 

6  (3)  provide  ^lidance  to  the  Secretaiy  on  the 

7  implementation  of  tliis  Act; 

8  (4)  provide  guidance  to  health  care  providers 

9  and  other  relevant  mdividuals  conceniing'  the  man- 

10  ner  in  wliicli  to  intei^oret  and  implement  the  privacy 

11  protections  under  this  title  (and  the  regulations  pro- 

12  mulg-ated  under  this  title); 

13  (5)  prepare  and  submit  the  report  described  in 

14  subsection  (c); 

15  (6)  consult  with,  and  provide  recoimnendation 

16  to,  the  Secretarv'  concerning  improv^ements  m  the 

17  privacy  and  secuiitv^  of  personal  health  information 

18  and  concerning  medical  piiv^acy  research  needs;  and 

19  (7)  cany  out  any  other  activities  detemuned 

20  appropriate  by  the  Secretaiy. 

21  (c)  Standards  for  Certification. — 

22  (1)    EsTABLismiENT. — Not    later    than  12 

23  months  after  the  date  of  enactment  of  tliis  Act,  the 

24  Secretaiy,  m  consultation  ^^ith  the  Duector  of  the 

25  Office  and  the  Du^ector  of  the  Office  of  Civil  Eights, 
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1  shall  establish  and  implement  standards  for  health 

2  information  technology  products,  including  qualified 

3  health  information  technology  systems  (as  defined  in 

4  section  213),  used  to  access,  disclose,  maintain, 

5  store,  distribute,  transmit,  amend,  or  dispose  of  per- 

6  sonal  health  information  in  a  manner  that  protects 

7  the  individual's  right  to  privacy,  confidentiality,  and 

8  security  relating  to  that  information. 

9  (2)   STiVKEHOLDER  PARTICIPATION. — In  estab- 

10  lishing  the  standards  under  paragraph  (1),  the  Sec- 

11  retary  shall   ensure  the   participation   of  various 

12  stakeholders,  including  patients  and  consumer  advo- 

13  cates,  privacy  advocates,  experts  in  information  tech- 

14  nology  and  information  systems,   and  experts  in 

15  health  care.  The  Secretary  shall  ensure  that  these 

16  advocates  and  exi^erts  are  equally  represented,  such 

17  that  the  stakeholder  process  does  not  result  in  the 

18  experts  in  information  technology,  information  sys- 

19  tems,  and  health  care  being  disproportionately  rep- 

20  resented  compared  to  advocates  for  the  interests  of 

21  consumers  and  privacy  proponents. 

22  (d)  Report  on  Compliance. — Not  later  than  Janu- 

23  ary  1  of  the  first  calendar  year  beginning-  more  than  1 

24  year  after  the  establishment  of  the  Office  under  subsection 

25  (a),  and  every  January  1  thereafter,  the  Secretary,  in  con- 
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1  siiltation  with  the  Director  of  the  Office,  shall  prepare  and 

2  submit  to  Congi^ess  a  report  concerning  the  number  of 

3  complaints  of  alleged  violations  of  subtitle  A  that  are  re- 

4  ceived  during  the  year  for  which  the  report  is  being  pre- 

5  pared.  Such  report  shall  describe  the  complaints  and  any 

6  remedial  action  taken  concerning  such  complaints  and 

7  shall  be  made  available  to  the  public  on  the  Internet 

8  website  of  the  Department  of  Health  and  Human  Services. 

9  SEC.  162.  PROTECTION  FOR  WfflSTLEBLOWERS. 


10  (a)   Prohibition  Against  Discrimination. — ^A 

1 1  health  information  person  may  not — 

12  (1)  discharge,  demote,  suspend,  threaten,  har- 

13  ass,  retaliate  against,  or  in  any  other  manner  dis- 

14  criminate  or  cause  any  employer  to  discriminate 

15  against  an  employee  in  the  terms  and  conditions  of 

16  employment  because  of — 

17  (A)  the  refusal  of  the  employee  to  engage 

18  in  a  ^dolation  of  this  title;  or 

19  (B)  any  law^il  act  the  employee  has  com- 

20  mitted  or  is  about  to  commit,  or  which  the 

21  health  information  person  perceives  the  em- 

22  ployee  to  have  committed,  to  pro\ide  informa- 

23  tion  or  cause  information  to  be  provided,  in- 

24  eluding  in  the  course  of  the  employee's  routine 

25  job  duties,  to  the  indi^ddual's  employer  or  to  a 
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1  State  or  Federal  official  relating  to  an  actual  or 

2  suspected  violation  of  this  title  by  any  person, 

3  including  an  employer  or  an  employee  of  an  em- 

4  ployer;  or  i' 

5  (2)  adversely  affect  another  person,  directly  or 

6  indirectly,  because  such  person  has  exercised  a  right 

7  under  this  title,  disclosed  information  relating  to  a 

8  possible  \aolation  of  sul)title  A,  B,  or  C  or  this  sec- 

9  tion,  or  associated  with,  or  assisted,  an  individual  in 

10  the  exercise  of  a  right  under  this  title. 

11  (b)  Enforcement  Actions. — 

12  (1)  In  general. — 

13  (A)   Complaint  with   secretaky  of 

14  LABOR. — ^Any  employee  or  former  employee  who 

15  alleges  a  \dolation  of  subsection  (a)  may  seek 

16  relief  under  subsection  (c),  by  filing  a  complaint 

17  with  the  Secretaiy  of  Labor. 

18  (B)  Appeli^^te   RE^aEW  in  case  of 

19  finaIj  order. — Unless  an  employee  brings  an 

20  action  in  district  court  under  subparagraph  (C), 

21  any  person  adversely  affected  or  aggrieved  by  a 

22  final  order  of  the  Secretary  of  Labor  with  re- 

23  spect  to  a  complaint  filed  under  subparagraph 

24  (A)  may  obtain  review  of  the  order  in  the 

25  United  States  court  of  appeals  for  the  circuit  in 
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1  which  the  violation,  with  respect  to  which  the 

2  order  was  issued.  aUegedly  occurred  or  the  cir- 

3  ciiit  in  which  the  complainant  resided  on  the 

4  date  of  such  violation.  The  petition  for  review 

5  nmst  be  filed  not  later  than  60  days  after  the 

6  date  of  the  issuance  of  the  final  order.  The  re- 

7  ^dew  shall  conform  to  chapter  7  of  title  5, 

8  United  States  Code.  The  connnencement  of  pro- 

9  ceeding's  under  this  sul^paragraph  shall  not.  un- 

10  less  ordered  by  the  coui^t,  operate  as  a  stay  of 

11  the  order. 

12  (C)  De  novo  — If  the  Secretaiy  of 

13  Labor  has  not  issued  a  final  decision  within 

14  180  days  after  the  filing  of  the  complaint,  or 

15  ^^dthin  90  days  after  receiAing-  any  A\Titten  de- 

16  termination,  the  complainant  may  bring  an  ac- 

17  tion  at  law  or  equity  for  de  novo  review  in  the 

18  appropriate  district  court  of  the  United  States 

19  A^dth  jurisdiction,  which  shall  have  jurisdiction 

20  over  such  an  action  without   regard   to  the 

21  amount  in  controversy,  and  which  action  shall, 

22  at  the  request  of  either  party  to  such  action,  be 

23  tried  by  the  court  a  juiy. 

24  (2)  PEOCEDrRES. — 
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1  (A)  In  general. — Except  as  provided  in 

2  this  paragraph,  the  complaint  procedures  con- 

3  tained  in  section  42121(b)  of  title  49,  United 

4  States  Code,  shall  apply  with  respect  to  a  com- 

5  plaint  filed  under  paragraph  ( 1 )  (A) . 

6  (B)  Exception. — ^With  respect  to  a  com- 

7  plaint  filed  under  paragraph  (1)(A),  the  notifi- 

8  cation  provided  for  under  section  42121(b)(1) 

9  of  title  49,  United  States  Code,  (as  required 

10  under  subparagraph  (A))  shall  be  made  to  the 

11  person  named  in  the  complaint  and  to  the  em- 

12  ployer. 

13  (C)  Burden  of  proof. — The  legal  bur- 

14  dens  of  proof  contained  in  section  42121(b)  of 

15  title  49,  United  States  Code,  shall  apply  to  any 

16  action  brought  under  this  subsection. 

17  (D)  Statute  of  limitations. — ^A  com- 

18  plaint  shall  be  filed  under  paragraph  (1)(A)  not 

19  later  than  2  years  after  the  date  on  which  the 

20  alleged  violation  occurs. 

21  (E)  CmL  actions  to  enforce. — If  a 

22  person  fails  to  comply  with  an  order  issued  by 

23  the  Secretary  of  Labor  pursuant  to  the  proce- 

24  dures  in  section  42121(b)  of  title  49,  United 

25  States  Code,  the  Secretary  shall  have  the  au- 
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1  thority  described  in  section  42121(b)(5)  of  title 

2  49,  United  States  Code,  to  bring  a  civil  action 

3  to  enforce  the  order  in  the  district  court  of  the 

4  United  States  for  the  judicial  district  in  which 

5  the  violation  occurred. 

6  (c)  Remedies. — 

7  (1)  In  general. — If  the  Secretary  of  Labor  or 

8  the  district  court  determines  that  a  violation  of  sub- 

9  section  (a)  has  occurred,  the  Secretary  or  court  shall 

10  order  any  relief  necessary  to  make  the  employee 

11  whole.  ' 

12  (2)  Compensatory  damages. — Rehef  in  any 

13  action  under  such  subsection  shall  include — 

14  (A)  reinstatement  of  the  employee  to  the 

15  employee's  former  position  with  the  same  se- 

16  niority  status  that  the  employee  would  have  had 

17  but  for  the  discrimination; 

18  (B)  payment  of  the  amount  of  back  pay, 

19  with  interest,  to  which  the  employee  is  entitled: 

20  and 

21  (C)  the  payment  of  compensation  for  any 

22  special  damages  sustained  by  the  employee  as  a 

23  result  of  the  discrimination,  including  litigation 

24  costs,  expert  witness  fees,  and  reasonable  attor- 

25  ney  fees. 
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1  (3)  Punitive  damages. — Relief  in  any  action 

2  under  such  subsection  may  include  punitive  damages 

3  in  an  amount  not  to  exceed  $250,000. 

4  (d)  Rights  Retained  by  the  Employee. — Noth- 


5  ing  in  this  section  shall  be  construed  to  diminish  or  elimi- 

6  nate  the  rights,  privileges,  or  remedies  available  to  an  em- 

7  ployee  under  any  Federal  or  State  law,  or  under  any  col- 

8  lective  bargaining  agreement.  •  , 


9  (e)  Limitation. — The  protections  of  this  section 

10  shall  not  apply  to  any  employee  who — 

11  (1)  deliberately  causes  or  participates  in  the  al- 

12  leged  \iolation;  or 

13  (2)  knowingly  or  recldessly  provides  materially 

14  false  information  to  an  individual  or  entity  described 

15  in  subsection  (a).  r; 

16  (f)  Definitions. — In  this  section: 

17  (1)   Employ. — The  term  "employ"  has  the 

18  meaning  given  such  term  under  section  3(g)  of  the 

19  Fair  Labor  Standards  Act  of  1938   (29  U.S.C. 

20  203(g))  for  the  purposes  of  implementing  the  re- 

21  quirements  of  that  Act  (29  U.S.C.  201,  et  seq.). 

22  (2)  Employee. — The  term  "employee"  means 

23  an  individual  who  is  employed  by  an  employer. 

24  (3)  Employer. — The  term  "employer"  means 

25  any  person  who  employs  employees,  including  any 
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1  person  aeting  ilireotly      indirectly  in  tlie  interest  of 

2  any  employer  in  relation  to  an  ernplDyee  and  in- 

3  chides  a  public  agency. 

4  SEC.  163.  DEMONSTR-\TION  GRAXT  FOR  IXDRTDUALS  WITH 

5  LZVUTED  ENGLISH  LANGUAGE  PROFICLENCY 

6  OR  LLVnTED  HEALTH  LITERACY. 

7  (a)  In  General. — The  Secret aiy  shaU  award  con- 


8  tracts  or  competitive  grants  to  ehgilde  entities  to  support 

9  demonstration  projects  that  are  designed  to  unprove  the 

10  commiuhcation  of  unormation  pertahmig  to  health  privacy 

11  rights  vdth  inch^ichials  ^vith  limited  Enghsh  language  pro- 

12  iiciency  and  Ihnited  health  literacy. 

13  (b)  PmPOsE. — It  is  the  piu-j^ose  i:>f  tins  section,  to 

14  promote  the  ciilniral  competency  of  persons  that  access, 

15  maintain,  retain.  mochfA\  record,  store,  destroy,  or  other- 

16  vise  use  or  chsclose  personal  health  mformation.  and  to 

17  enable  snch  persuns  to  better  cormnnnicate  privacy  proce- 

18  dm^es  to  non-English  speakers,  those  vith  limited  Enghsh 

19  prijficiency.  and  tln^se  vith  limited  health  hteracy. 


20  ici  ElI'tIBLE  Entities. — In  tins  sei-tion.  the  term 

21  "ehgible  entity"'  means  an  orgaihzation  or  commimity- 

22  based  consoninm  that  includes — 

23  1 1 )  inchAidiials  who  are  representatiA-es  of  orga- 

24  rhzations  serving  or  advocatmg  for  etluuc  and  racial 

25  minorities,  low  income  innuigTant  populations,  and 
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1  others  with  hmited  Enghsh  language  proficiency  and 

2  hmited  health  literacy; 

3  (2)  health  care  providers  that  provide  care  for 

4  ethnic  and  racial  minorities,  low  income  immigrant 

5  populations,  and  others  with  limited  English  lan- 

6  giiage  proficiency  and  limited  health  literacy; 

7  (3)  community  leaders  and  leaders  of  commu- 

8  nity-based  organizations;  and 

9  (4)  experts  and  researchers  in  the  areas  of  so- 

10  cial  and  behavioral  sciences,  who  have  knowledge, 

11  training,  or  practical  experience  in  health  policy,  ad- 

12  vocacy,  cultural  and  linguistic  competency,  or  other 

13  relevant  areas  as  determined  by  the  Secretary. 

14  (d)  Application. — ^An  ehgible  entity  seeking  a  con- 

15  tract  or  gi^ant  under  this  section  shall  submit  an  applica- 

16  tion  to  the  Secretaiy  at  such  time,  in  such  manner,  and 

17  containing  such  information  as  the  Secretary  may  require. 

18  (e)  Use  of  Funds. — ^An  eligible  entity  shah  use 

19  amounts  received  under  this  section  to  cany  out  programs 

20  and  studies  designed  to  help  identify  best  practices  in  the 

21  communication  of  privacy  rights  and  procedures  to  ensure 

22  comprehension  by  individuals  with  hmited  English  pro- 

23  ficiency  and  limited  health  literacy. 
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1  SEC.  164.  RELATIONSHIP  TO  OTHER  LAWS. 

2  (a)  Federal  axd  State  Laws. — Notliing  in  this 

3  Act  shall  be  constmed  as  preempting,  superseding,  or  re- 

4  peahng.  exjDhcitly  or  implicitly,  other  Federal  or  State  laws 

5  or  regulations  relating  to  personal  health  information  or 

6  relating  to  an  mdiAiduars  access  to  personal  health  infor- 

7  mation  or  health  care  senices,  if  such  laws  or  regulations 

8  provide  protections  for  the  rights  of  indiAiduals  to  the  pri- 

9  vacy  of.  and  access  to,  their  health  information  that  is 

10  greater  than  those  provided  for  in  this  Act. 

11  (b)  Prrtleges. — Nothing  in  this  Act  shaU  be  con- 

12  stmed  to  preempt  or  mochfy  any  pro\isions  of  State  statu- 

13  tor\^  or  common  law  to  the  extent  that  such  law  concerns 

14  a  privilege  of  a  \\itness  or  person  in  a  court  of  that  State. 

15  This  Act  shall  not  be  construed  to  supersede  or  modify 

16  any  provision  of  Federal  statutoiy  or  conmion  law  to  the 

17  extent  such  laAv  concerns  a  privilege  of  a  A^itness  or  entity 

18  prior  to  a  court  proceechng  or  in  a  court  of  the  United 

19  States.  Informed  consent  shall  not  be  construed  as  a  waiv- 

20  er  of  any  such  privilege. 

21  (c)  Certain  Duties  Under  Law. — Notiiing  in  this 

22  Act  shaU  be  constraed  to  preempt,  supersede,  or  modif)^ 

23  the  operation  of  any  State  law  that — 

24  '  (1)  pro\ides  for  the  reporting  of  vital  statistics 

25  such  as  birth  or  death  information; 
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1  (2)  requires  the  reporting  of  abuse  or  neglect 

2  information  about  any  individual; 

3  (3)  regulates  the  disclosure  or  reporting  of  in- 

4  formation  concerning  an  individual's  mental  health; 

5  or      '  :■■  "  ^, 

6  (4)  governs  a  minor's  rights  to  access  personal 

7  health  information  or  health  care  services.  - 

8  (d)  HeaijTH  Insurance  Portability  and  Ac- 

9  COUNTABILITY  ACT. — The  Standards  governing  the  pri- 

10  vacy  and  security  of  individually  identifiable  health  infor- 

11  mation  promulgated  by  the  Secretary  of  Health  and 

12  Human  Services  under  sections  262(a)  and  264  of  the 

13  Health  Insurance  Portability  and  Accountability  Act  of 

14  1996  shall  remain  in  effect  to  the  extent  that  they  are 

15  consistent  with  this  title.  The  Secretary  shall  by  rule 

16  amend  such  Federal  regulations  as  required  to  make  such 

17  regulations  consistent  with  this  title.  : 

18  SEC.  165.  EFFECTIVE  DATE. 

19  (a)  Epfectr^  Date. — Unless  specifically  provided 

20  for  otherwise,  this  title  shall  take  effect  on  the  date  that 

21  is  12  months  after  the  date  of  the  promulgation  of  the 

22  regulations  required  under  subsection  (b),  or  30  months 

23  after  the  date  of  enactment  of  this  Act,  whichever  is  ear- 

24  lier. 
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1  (b)  Regulations. — Xot  later  than  12  months  after 

2  the  date  of  enactment  of  tliis  Act.  or  as  specifically  pro- 

3  ^ided  for  othen^ise.  the  Secretaiy  shall  promulgate  regnla- 

4  tions  unplementing  this  title. 

5  Subtitle  F — ^General  Definitions 

6  SEC.  171.  GENERAL  DEimrnONS. 

7  In  this  Act: 

8  (1)  Agext. — The  term  "agent"  means  a  person 

9  that  represents  or  acts  for  another  person  (a  prm- 

10  cipal)  under  a  contract  or  relationsliip  of  agency,  or 

11  that  fuuietions  to  bring  about,  modify,  affect,  accept 

12  performance  of,  or  terminate,  contractual  obhgations 

13  between  the  prmcipal  and  a  tliu'd  person.  AVitli  re- 

14  spect  to  ail  employer,  such  term  includes  the  employ- 

15  ees  of  the  employer. 

16  (2)   AUTHORiZATiox. — The   term  "authoriza- 

17  tioii"  means  the  authority  granted  by  an  indi\-idual 

18  that  is  the  subject  of  personal  health  uiforiiiatioii,  in 

19  accordance  ^vLtll  tliis  title,  for  the  disclosui-e  or  use 

20  of  the  iiidi^iduars  personal  health  information. 

21  (3)  Breach. — The  term  '"breach''  means  the 

22  unauthorized  acquisition,  disclosure,  or  loss  of  per- 

23  soiial  health  uiforniatioii  which  compromises  the  se- 

24  cuiit\\  privacy,  or  iiitegTit}'  of  personal  health  iiifor- 

25  mation  mamtamed  by  or  on  behalf  of  a  person. 
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1  (4)  ConpidentiaIjITY. — The  term  "confiden- 

2  tiality"  means  the  obhgations  of  those  who  receive 

3  information  to  respect  the  privacy  interests  of  those 

4  to  whom  the  data  relate.  ,     .     .  ;    ,  / 

5  (5)  De-identified  heai.th  information. — 

6  The  term  "de-identified  heahh  information"  means 

7  any  personal  health  information,  with  respect  to 

8  which — 

9  (A)  all  personal  identifiers,  or  other  infor- 

10  mation  that  may  be  used  by  itself  or  in  com- 

11  bination  with  other  information  which  may  be 

12  available  to  re-identify  (as  defined  in  section 

13  171(25))  the  subject  of  the  information  (such 

14  as  geographic,  credit,  and  financial  information 

15  and  all  of  the  identifiers  enumerated  at  section 

16  164.514(b)(2)  of  title  45  of  the  Code  of  Federal 

17  Regulations  (as  in  effect  on  January  1,  2008)) 

18  have  been  removed; 

19  (B)  a  good  faith  effort  has  been  made  to 

20  evaluate,  minimize,  and  mitigate  the  risks  of  re- 

21  identification  of  the  subject  of  such  information, 

22  using  commonly  accepted  scientific  and  statis- 

23  tical  standards  and  methods  for  minimizing  risk 

24  of  disclosure;  and 
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1  (C)  there  is  no  reasonable  basis  to  believe 

2  that  the  information  can  be  used  to  identify  an 

3  individual. 

4  (6)  Disclose. — The  term  "disclose"  means  to 

5  release,  piibhsh.  share,  transfer,  transmit,  dissemi- 

6  nate.  show,  permit  access  to,  communicate  (orally  or 

7  othei-vdse).  re-identifs\  or  othei-wise  divTilge  personal 

8  health  uiformation  to  any  person  other  than  the  m- 

9  di"^idual  who  is  the  subject  of  such  uiformation. 

10  Such  term  includes  the  uiitial  disclosm^  and  any 

11  subsequent  re-disclosm^e  of  personal  health  informa- 

12  tion. 

13  (7)  Deceyptiox  key. — The  term  '"decnption 

14  key"  means  the  variable  information  used  in  or  pro- 

15  duced  by  a  mathematical  formula,  code,  or  algo- 

16  ritlun,    or    any    component    thereof,    used  for 

17  encniotion    (as    defined   m   paragi'aph    (10))  or 

18  deci'Ai3tion  of  ^Yire,  electronic,  or  other  communica- 

19  tions  or  stored  information. 

20  (8)  DrRECTOE  of  the  office  of  health  IX- 

21  for:^iation  prr^acy. — The  term  "DuTctor  of  the 

22  Office  of  Health  Information  Privacy "  means  such 

23  Dmector  as  appointed  under  section  161. 

24  ^      (9)  E^IPLOYER. — ^Except  as  othei-wise  provided 

25  ixL  section  161,  the  term  '"employer"  means  a  person 
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1  that  is  engaged  in  business  affecting  commerce  and 

2  that  has  employees. 

3  (10)  Encryption. — The  term  "encryption" — 

4  (A)  means  the  protection  of  data  in  elec- 

5  tronic  form,  in  storage  or  in  transit,  using  an 

6  encryption  technology  that  has  been  adopted  by 

7  an  established  standards  setting  body  which 

8  renders  such  data  indecipherable  in  the  absence 

9  of  associated  cryptographic  keys  necessary  to 

10  enable  deciyption  of  such  data;  and 

11  (B)  includes  appropriate  management  and 

12  safeguards  of  such  cryptographic  keys  so  as  to 

13  protect  the  integrity  of  the  encryption.  - 

14  (11)  Health  care. — The  term  "health  care" 

15  means —  , 

16  (A)  preventive,  diagnostic,  therapeutic,  re- 

17  habilitative,  maintenance,  or  palliative  care,  in- 

18  eluding  appropriate  assistance  with  disease  or 

19  symptom  management  and  maintenance,  coun- 

20  seling,  service,  or  procedure — 

21  ^  (i)  with  respect  to  the  physical  or 

22  mental  condition  of  an  individual;  or 

23  (ii)  affecting  the  structure  or  function 

24  of  the  human  body  or  any  part  of  the 

25  human  body,   including  the  banking  of 
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1  blood,  sperm,  organs,  or  any  other  tissue; 

2  or 

3  (B  i  any  sale  or  dispensing  of  a  diiig,  de- 

4  Tiee.  equipment,  or  other  health  eare-related 

5  item  to  an  individual,  or  for  the  use  of  an  indi- 

6  yidual.  pursuant  to  a  prescription. 

7  (12  i   Health   caee   peovidee. — The  term 

8  "health  eare  provider''  means  a  person  that,  ^^vith  re- 

9  speet  to  a  specific  item  of  personal  health  infonna- 

10  tiom  receives,  accesses,  maintains,  retains,  modifies. 

11  records,  stores,  destroys,  or  othei'wise  uses  or  dis- 

12  closes  the  information  while  aethig  hi  whole  or  hi 

13  part  in  the  capacity  of^ — 

14  ^'A^  an  entity  that  is,  or  holds  itself  out  to 

15  ::>ed.  eeitined.  registered,  or  otherwise 

16  :        i  -z-d  by  Federal  or  State  law  to  provide 

17  an  item  or  service  that  constitutes  health  cai^e 

18  in  the  ordinaiy  eom^e  of  business,  or  practice 

19  of  a  profession; 

20  B   a  contractor  or  other  health  eare  pro- 

21  vider  or  fecOity  authorized  to  provide  items  or 

22  services  related  to  diagnosis  or  treatment  of  a 

23  health  con?-?!^-:.  :z_':--~7':hng  a  hospital.  nui\sing  fa- 

24  —    dlity,  ailir  :  i  r       ^irof^sional,  and  a  facihty 
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1  used  or  maintained  by  allied  health  profes- 

2  sionals;  ^ 

3  (C)  a  Federal  or  State  program  that  di- 

4  rectly  provides  items  or  services  that  constitute 

5  health  care  to  beneficiaries; 

6  (D)  an  officer  or  employee  or  agent  of  a 

7  person  described  in  subparagraph  (A)  or  (C) 

8  who  is  engaged  in  the  provision  of  health  care 

9  or  who  uses  personal  health  information;  or 

10  (E)  medical  personnel  in  an  emergency  sit- 

11  nation,  including  while  communicating  personal 

12  health  information  by  radio  transmission  or 

13  other  means. 

14  (13)     HEi^LTH     INFORMATION     PERSON. — The 

15  term  "health  information  person"  means,  in  relation 

16  to  personal  health  information,  a  person,  including  a 

17  health  care  provider,  health  researcher,  health  plan, 

18  health  insurer,   health  care  clearinghouse,  health 

19  oversight  agency,  or  public  health  authority,  or  such 

20  person's  agent,  officer,  employee,  or  affiliate,  that 

21  accesses,    maintains,    retains,    modifies,  records, 

22  stores,  or  otherwise  holds,  uses,  or  discloses  such  in- 

23  formation. 

24  (14)  Health  plan. — 
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1  (A)  Ix  GEXER.lL. — The  term  •■health  plan"* 

2  means — 

3  li)  a  gToiip  health  plan  'as  defined  in 

4  ■  section  2791(aMli  of  the  Public  Heahh 

5  -    -  Senice  Act  i42  U.S.C.  300gg-91(aMli)i; 

6  .  :  "      lii)  health  hisnrance  coverage  (as  such 

7  term  is  defined  in  section  2791ib)ili  of 

8  ■  -    the  Pnbhc  Health  Senice  Act  i42  U.S.C. 

9  ■    -       300gg-91ib)(lM:  or 

10  ;  '  (in)  a  safety-  net  health  plan  (as  de- 
ll fined  in  snbparagTapli  iBn. 

12  (B)     S.IEETY    XET    HE^lLTH    PLAX. — For 

13  ptuposes  of  subparagraph   lAMiiii.  the  term 

14  "safety-  net  health  plan"  means  a  managed  care 

15  organization.       as       defined       in  section 

16  1932i  a ) !  1  M  B  1 1 1 )  of  the  Social  Security  Act — 

17  -  (i)  that  is  exempt  trom  or  not  subject 

18  to  Federal  income  tax.  or  that  is  o^^iied  by 

19  an  entity  or  entities  exempt  fi^om  or  not 

20  subject  to  Federal  income  tax:  and 

21  .  I  ill  for  winch  not  less  than  75  percent 

22  "     of  the  em^oUed  population  receives  benefits 

23  "  under  a  Federal  health  care  program  las 

24  defined  m  section  112SB(fiil)  of  the  So- 

25  cial  Secmity  Act)  or  a  health  care  plan  or 
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1  program  which  is  funded,  in  whole  or  in 

2  part,  by  a  State  (other  than  a  program  for 

3  government  employees).  ^ 
.4               (15)  HeaIjTH  or  life  insurer. — The  term 

5  "health  or  life  insurer"  means  a  health  insurance 

6  issuer  (as  defined  in  section  9805(b)(2)  of  the  Inter- 

7  nal  Revenue  Code  of  1986)  or  a  life  insurance  com- 

8  pany  (as  defined  in  section  816  of  such  Code)  and 

9  includes  the  employees  and  agents  of  such  a  person. 

10  (16)  HeaIjTH  oversight  agency. — The  term 

11  "health  oversight  agency" — 

12  (A)  means  a  person  that — 

13  (i)  performs  or  oversees  the  perform- 

14  ance  of  an  assessment,  investigation,  or 

15  prosecution  relating  to   compliance  with 

16  legal  or  fiscal  standards  relating  to  health 

17  care  fraud  or  fraudulent  claims  regarding 

18  health  care,  health  semces  or  equipment, 

19  related  activities  and  items,  or  the  effec- 

20  tiveness  of  health  privacy  and  security 

21  .        measures;  and 

22  (ii)  is  a  public  executive  branch  agen- 

23  cy,  acting  on  behalf  of  a  public  executive 

24  branch  agency,  acting  pursuant  to  a  re- 

25  quirement  of  a  public  executive  branch 
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1  agency,  or  canning  out  acthities  under  a 

2  '  Federal  or  State  law  governing  an  assess- 

3  ^"  '     '     ment.  evaluation,  determination,  investiga- 

4  tion.  or  prosecution  described  in  clause  (i); 

5  .  •  and 

6  ^     ■       (B)  includes  the  employees  and  agents  of 

7  such  a  person. 

8  (17)  Health  record  set. — The  term  '"heahh 

9  record  set"  means  any  item,  collection,  or  gTOuping 

10  of  mformation  that  includes  personal  health  infor- 

11  mation.  such  as  a  mechcal  record,  electronic  health 

12  record,  electronic  mechcal  record,  personal  heahh 

13  record,  or  account  of  disclosure,  use  or  access,  that 

14  is  created,  accessed,  received,  maintamed.  retained. 

15  modified,  recorded,  stored,  destroyed,  or  othemse 

16  used  or  chsclosed  by  a  health  care  provider,  em- 

17  ployer,  insurer,  health  plan,  health  researcher,  data 

18  partner,  or  other  person  that  relates  to  the  health  or 

19  iUness  of  the  body,  mhid,  or  genome  of  an  incU- 

20  ^idual. 

21  (18)  Health  researcher. — The  term  "heahh 

22  researcher''  means  a  person  that  is  engaged  in  ac- 

23  tiiities  conducted  for  the  purpose  of  advancing  pub- 

24  he  knowledge  and,  with  respect  to  a  specific  item  of 
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1  personal  health  information,  receives  the  informa- 

2  tion—      ,  . 

3  (A)  pursuant  to  section  142  (relating  to 

4  health  research);  or  ; 

5  (B)  while  acting-  in  whole  or  in  part  in  the 

6  capacity  of  an  officer,  employee,  or  agent  of  a 

7  person  that  receives  the  information  pursuant 

8  to  such  section.  ^  . 

9  (19)  Informed  CONSENT. —  ; 

10  (A)   In  general. — Subject  to  subpara- 

11  graph  (B),  the  term  "informed  consent"  means 

12  the  written  authorization  for  use  or  disclosure 

13  of  personal  health  information  by  the  individual 

14  who  is  the  subject  of  such  information,  condi- 

15  tioned  upon —  ^ 

16  (i)  that  individual's  ha™g  been  in- 

17  formed  of  the  nature  and  probability  of 

18  harm  to  the  individual  resulting  from  such 

19  authorization;  and 

20  (ii)  the  authorization  meeting  the  re- 

21  quirements  of  section  122(b). 

22  (B)     Through     inference. — Informed 

23  consent  may  be  inferred,  in  the  absence  of  a 

24  contrary  indication  by  the  individual —  ;  J' 
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1  -.-j^  •  (i)  to  the  extent  neeessaiy  to  provide 

2  treatineiit  and  'jbtain  payment  for  health 

3  care  m  emergency  situations: 

4  ::   ^    ^he  extent  neeessaiy  to  provide 

5  --    treatment  and  payment  where  a  health 

6  •  ^-    :    eaj"'-  ;  :  '  \  >rr  is  reqiiii"-ed  by  law  to  treat 

7  ■  the  imii^ddnal;             -    -  ^ 

8  -  -  :        (iii)  if  the  liealth  eare  provider  is  un- 

9  able  to  -jbtam  mt'.:,iTn-d  consent  due  to 

10  ■  :  substantial  barriers  T^.  •  ::.::/_irneatm2' with 

11  -  the  inchridna!       :  "i.-  provider  reasonably 

12  infers  fivi;.  ■.•ir-.-iunstances.  based  upon 

13  "  "      the  exercise  of  professional  jiidoTnent.  that 

14  "  the  imi^idnal  d^es  n^t      -     -    -\\'^  chsclo- 

15  '      snre  ':ir  the  '     \  -  ir--      a.  ^iit-  best  inter- 

16  "     '  -  est      'i^^:  l^^^;^."^nal:  and 

17  ■    ■  =  -  -  iw)  to  the  extent  the  information  is 

18  -  necessary'  to  carry  out  or  othei^se  irnple- 

19  --  ment  a  mechcal  C't  mental  health  practi- 

20  -  tioner"s  order  or  prescription  for  health 

21  services,  medical  devices  or  supphes.  or 

22  :  pharma';-vn-a>. 

23  ^  (C)  MrL":::-:-:-:  l'ses  axd  disclosiTuES. — 

24  — -   Infomied  consent  may  authorize  multiple  uses 

25  or  disclosures.  ?' 
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1  (20)  Office  of  health  information  pri- 

2  VACY. — The  term  "Office  of  Health  Information  Pri- 

3  vacy"  means  the  Office  of  Health  Information  Pri- 

4  vacy  designated  under  section  161. 

5  (21)  Person. — The  term  "person"  means  an 

6  entity  that  is  a  government,  governmental  subdivi- 

7  sion  of  an  executive  branch  agency  or  authority,  cor- 

8  poration,  company,  association,  firm,  partnership, 

9  society,  estate,  trust,  joint  venture,  individual,  indi- 

10  vidual  representative,   tribal   govermnent,   or  any 

11  other  legal  entity.  Such  term  also  includes  the  em- 

12  ployees,  contractors,  agents,  and  affiliates  of  all  legal 

13  entities  described  in  the  preceding  sentence,  whether 

14  or  not  they  are  acting  in  the  capacity  of  their  em- 

15  ployment,  contract,  agency,  or  affiliation. 

16  (22)  Privacy. — The  term  "privacy"  means  an 

17  individual's  right  to  control  the  acquisition,  uses,  or 

1 8  disclosures  of  his  or  her  identifiable  health  data. 

19  (23)  Personal  health  information. — 

20  (A)  In  general. — The  term  "personal 

21  health  information"  means  any  information,  in- 

22  eluding  genetic  information,  biometric  informa- 

23  tion,  demographic  information,  and  tissue  sam- 

24  pies  collected  from  an  individual,  whether  oral 

25  or  recorded  in  any  form  or  medium,  that — 
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1  ■  '  (i)  is  created  or  received  by  a  health 

2  care  pro^^der.   heahh   researcher,  heahh 

3  plan,  health  or  life  insurer,  medical  or 

4  health  saAings  plan  administrator,  health 

5  care  clearinghouse,  health  oversiD'ht  agen- 

6  ey,  public  health  authority,  employer,  data 

7  partner,  or  other  person  or  such  person's 

8  agent,  officer,  or  employee;  and 

9  (ii)(I)  relates  to  the  past,  present,  or 

10  future  physical  or  mental  health  or  condi- 

11  tion  of  an  individual  (including  individual 

12  cells  and  their  components),  the  provision 

13  of  health  care  to  an  individual,  or  the  past, 

14  present,  or  fixture  pavment  for  the  provi- 

15  sion  of  health  care  to  an  individual:  and 

16  '      (II)(aa)  identifies  an  individual:  or 

17  (bb)  v\ith  respect  to  vviiich  there  is  a 

18  reasonable  basis  to  believe  that  the  infor- 

19  mation  can  be  used  to  identify  an  indi- 

20  vidual. 

21  (B)  Inclusion  of  decryption  IvEY. — 

22  The  term  "personal  health  information"  in- 

23  eludes    any    decn-ption    key    used    for  the 

24  encn-ption  or  deci^ption  of  uiformation  de- 

25  scribed  in  subparagraph  (A).  ' 
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1  (24)  Public  health  authority. — The  term 

2  "public  health  authority"  means  an  authority  or  in-  5 

3  strumentahty  of  the  United  States,  a  tribal  gwern-  i 

4  ment,  a  State,  or  a  political  subdivision  of  a  State  \ 

5  that  is — 

6  (A)  primarily  responsible  for  public  health 

7  matters;  and 

8  (B)  primarily  engaged  in  activities  such  as 

9  injuiy  reporting,  public  health  sui'veillance,  and  ; 

10  public  health  investigation  or  intervention. 

11  (25)   Re-identify. — The  term  "re-identify", 

12  when  used  with  respect  to  de-identified  health  infor- 

13  mation,  means  an  attempt,  successful  or  otherwise, 

14  to  ascertain — 

15  (A)  the  identity  of  the  individual  who  is 

16  the  subject  of  such  information;  or 

17  (B)  the  decryption  key  with  respect  to  the 

18  information  (when  undertaken  with  knowledge 

19  that  such  key  would  allow  for  the  identification 

20  of  the  individual  who  is  the  subject  of  such  in- 

21  formation).  '* 

22  (26)     Secretary. — The    term  "Secretary" 

23  means  the  Secretary  of  Health  and  Human  Services. 

24  (27)  Security. — The  term  "security"  means 

25  physical,  technological,  or  administrative  safeguards 
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1  or  tools  used  to  protect  identifiable  health  data  from 

2  unwarranted  access  or  disclosnre. 

3  (28)  Security  breach. — The  term  "securitA' 

4  breach"   means  the  physical,   structural,   or  sub- 

5  stantive  compromise  of  the  security  of  personal 

6  health  information,  through  unauthorized  dischjsure. 

7  use.  or  access,  whether  actual  or  attempted,  result- 

8  ing  in  the  acquisition,  access,  or  use  of  such  infor- 

9  mation  by  an  unauthorized  person.  Such  term  does 

10  not  apply  to  good  faith  or  accidental  acquisition,  or 

11  disclosure  of  personal  health  information  by  an  un- 

12  authorized  person,  so  long  as  no  fmther  use  or  dis- 

13  closure  is  made  by  such  person. 

14  (29)     Segregate. — The    term  "segTegate" 

15  means  to  hide.  mask,  or  mark  separate  a  designated 

16  subset  of  an  indiAddual's  personal  health  informa- 

17  tion.  or  to  place  such  a  subset  in  a  location  that  is 

18  secm^ely  separated  fi'om  the  location  used  to  store 

19  other  personal  health  information,  such  that  access 

20  to  or  use  of  any  information  so  segregated  may  be 

21  effectively  limited  to  those  persons  that  are  autlior- 

22  ized  by  the  individual  to  access  or  use  that  seg- 

23  regated  information. 

24  (30)  Signed. — The  term  "signed"  refers  both 

25  to  signatures  in  ink  and  to  electronic  signatures  that 
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1  are  authenticated  by  the  individual  using  an  authen- 

2  tication  method  apj^roved  by  the  Secretary. 

3  (31)  State. — The  term  "State"  means  each  of 

4  the  several  States,  the  District  of  Columbia,  Puerto 

5  Rico,  the  Virgin  Islands,  Guam,  American  Samoa, 

6  and  the  Northern  Mariana  Islands. 

7  (32)      To     THE     MAXIMUM     EXTENT  PRAC- 

8  TICABLE. — The  term  "to  the  maximum  extent  prac- 

9  ticable"  means  the  level  of  compliance  that  a  reason- 

10  able  person  would  deem  technologically  feasible  so 

11  long  as  such  feasibility  is  periodically  evaluated  in 

12  light  of  scientific  advances. 

13  (33)  Use. — The  term  "use"  means  to  create, 

14  record,    collect,    access,    obtain,    store,  maintain, 

15  amend,  correct,  restore,  modify,  supplement,  iden- 

16  tify,  re-identify,  employ,  apply,  utilize,  examine,  ana- 

17  lyze,  detect,  remove,  destroy,  dispose  of,  account  for, 

18  or  monitor  the  flow  of  personal  health  information. 

19  (34)  WRITING;  WRITTEN. — The  terms  "writing" 

20  and  "wiitten"  mean  witing  or  mitten,  respectively, 

21  in  either  a  paper-based  or  computer-based  form,  in- 

22  eluding  electronic  and  digital  signatures. 
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1  TITLE  II— PROMOTION  OF 

2  HEALTH  INFORMATION  TECH- 

3  NOLOGY 

4  Subtitle  A — Improving  the  Inter- 

5  operability  of  Health  Informa- 

6  tion  Technology 

7  SEC.  201.  OFFICE  OF  THE  NATIONAL  COORDLNATOR  OF 

8  HEALTH  ESTORZVIATION  TECHNOLOGY. 

9  (ai  EsT.\BLlsHAiEXT. — There  is  established  \\ithin 

10  the  office  of  the  Secretaiy.  the  Office  of  the  National  Co- 

11  orcliiiator  of  Health  Information  Technology.  The  Xa- 

12  tional  Coordinator  shah  be  appointed  by  the  Secretaiy  in 

13  constiltation  ^^ith  the  President,  and  shall  repoil:  du'ectly 

14  to  the  Secretaiy. 


15  (bi  Purpose. — The  Office  of  the  National  Coordi- 

16  nator  shall  be  responsible  for — 

17  ( 1 1  ensuring  that  key  health  information  tech- 

18  nology  initiatives  are  coordinated  across  programs  of 

19  the  Department  of  Health  and  Human  Sendees: 

20  ( 2  1  ensuring  that  health  information  technology 

21  pohcies  and  programs  of  the  Depannient  of  Health 

22  and  Human  Sendees  are  coordinated  ^\ith  such  poli- 

23  cies  and  programs  of  other  relevant  Federal  agencies 

24  (including  Federal  commissions  and  ad^isoiy  coni- 

25  mitteesi  vith  a  goal  of  avoiding  duphcation  of  ef- 
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1  forts  and  of  helping"  to  ensure  that  each  agency  un- 

2  dertakes  activities  primarily  within  the  areas  of  its 

3  gi^eatest  expertise  and  technical  capability; 

4  (3)  reviewing  Federal  health  information  tech- 

5  nology  investments  to  ensure  that  Federal  health  in- 

6  formation  technology  programs  are  meeting  the  ob- 

7  jectives  of  the  strategic  plan  published  by  the  Office 

8  of  the  National  Coordinator  of  Health  Information 

9  Technologj^  to  establish  a  nationwide  interoperable 

10  health  information  technology  infrastructure; 

11  (4)  providing  comments  and  advice  regarding 

12  specific  Federal  health  information  technology  pro- 

13  grams,  at  the  request  of  Office  of  Management  and 

14  Budget; 

15  (5)  enliancing  the  use  of  health  information 

16  technology  to  improve  the  quality  of  health  care  in 

17  the  prevention  and  management  of  chronic  disease 

18  and  to  address  population  health;  and 

19  (6)  consulting  with  the  Office  of  Health  Infor- 

20  mation  Privacy  to  ensure  that  key  health  informa- 

21  tion  technology  initiatives  of  the  Department  of 

22  Health  and  Human  Sei^vices  and  other  Federal 

23  agencies  are  consistent  with  the  privacy,  confiden- 

24  tiality,  and  security  requirements  in  title  I. 
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1  (c)  R<:-LE  With  A:vIEEic\x  He-\i.th  Ixf(jralvtiox 

2  COADK^Xm'  AND  THE  PaRTXERSHIP  FOR  He^H^TH  C\EE 

3  Iaipri:)\t:aiext. — The  Office  of  the  Xational  Coordinator 

4  shall— 

5  !  1 1  sen  e  as  an  ex  officio  member  of  the  Amer- 

6  ican   Health   Informatitjn    C'jnnminity  estalilished 

7  imder  section  203.  and  act  as  a  haison  hetAveen  the 

8  Fedt-ral  G-ovenunent  and  the  Conummity; 

9  '  2  I  sen'e  as  an  ex  ijfficio  member  of  the  Part- 

10  nership  and  act  as  a  haisijri  bet^veen  the  Federal 

11  Goverrmient  and  the  Pannerslhp  for  Heahh  Care 

12  Improvement  i  established  tinder  section  202  i:  and 

13  1 3  I  senT  as  a  haison  bet^veen  tlie  Partnership 

14  and  tlie  Conuniimty. 

15  kIi  PiEPCiRTS  AXD  WEB^^ITE. — The  Office  of  the  Xa- 

16  tional  Coordinator  shaU — 

17  ill  develop  and  ptilTish  a  strategic  plan  for  hn- 

18  plementiug'  a  natiom^ide  interoperable  health  inlbr- 

19  mation  teclmolog^-  urfi^astractnre: 

20  1 2  !  maintain  and  fi-eciiiently  update  an  Internet 

21  website  that — 

22  lAi  publishes  the  schedule  for  the  assess- 

23  rnent  of  standards  for  significant  use  cases: 

24  iBi  publishes  the  recoimnendations  of  the 

25  American  Health  Information  ConnnnnitA-; 
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1  (C)  publishes  the  recommendations  of  the 

2  Partnership  for  Health  Care  Improvement;  - 

3  (D)  publishes  quality  measures; 

4  (E)  identifies  sources  of  funds  that  will  be 

5  made  available  to  facilitate  the  purchase  of,  or 

6  enhance  the  utilization  of,  health  information 

7  technology  systems,  either  tlu'ough  gi-ants  or 

8  technical  assistance;  and 

9  (F)  publishes  a  plan  for  a  transition  of  any 

10  functions  of  the  Office  of  the  National  Coordi- 

11  nator  that  should  be  continued  after  September 

12  30,  2014; 

13  (3)  prepare  a  report  on  the  lessons  learned 

14  from  major  public  and  private  health  care  systems 

15  that  have   implemented  health   information  tech- 

16  nology  systems,  including  an  exjolanation  of  whether 

17  the  systems  and  practices  developed  by  such  systems 

18  may  be  applicable  to  and  usable  in  whole  or  in  part 

19  by  other  health  care  providers;  and 

20  (4)  assess  the  impact  of  health  information 

21  technology  in  communities  with  health  disparities 

22  and  identify  practices  to  increase  the  adoption  of 

23  such  technology  by  health  care  providers  in  such 

24  communities. 
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1  (e)  Rule  of  Construction. — Nothing  in  this  sec- 

2  tion  shall  be  construed  as  requiring  the  duplication  of  Fed- 

3  eral  efforts  with  respect  to  the  establishment  of  the  Office 

4  of  the  National  Coordinator  of  Health  Information  Tech- 

5  nology,  regardless  of  whether  such  efforts  are  carried  out 

6  before  or  after  the  date  of  the  enactment  of  this  title. 


7  (f)  Authorization  op  Appropriations. — There  is 

8  authorized  to  be  appropriated  to  cany  out  this  section, 

9  $5,000,000  for  each  of  fiscal  years  2009  and  2010. 

10  (g)  Sunset. — The  provisions  of  this  section  shall  not 

11  apply  after  September  30,  2014. 

12  SEC.  202.  PARTNERSHIP  FOR  HEALTH  CARE  IMPROVE- 

13  MENT. 

14  (a)  Establishment. — 

15  (1)  In  general. — There  is  estabhshed  a  pub- 

16  lie-private  Partnership  for  Health  Care  Improvement 

17  (in  this  title  referred  to  as  the  "Partnership")  to — 

18  (A)  provide  advice  to  the  Secretary  and  the 

19  Nation    and   recommend    specific    actions  to 

20  achieve  a  nationrnde  interoperable  health  infor- 

21  mation  technology  infrastructure; 

22  (B)    make    recommendations  concerning 

23  standards,  including  privacy,  security,  and  con- 

24  ~-     fidentiality  standards,  implementation  specifica- 

25  tions,  and  certification  criteria  for  the  electronic 
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1  exchange  of  personal  health  information  (in- 

2  eluding  for  the  reporting  of  quality  data  under 

3  section  221)  for  adoption  by  the  Federal  Gov-  | 

4  ernment  and  voluntaiy  adoption  by  private  enti- 

5  ties  that  are  consistent  with  the  requirements  of 

6  title  I; 

7  (C)  serve  as  a  forum  for  the  participation 

8  of  a  broad  range  of  stakeholders  with  specific 

9  technical  ex})ertise  in  the  development  of  stand- 

10  ards,  implementation  specifications,  and  certifi- 

11  cation  criteria  and  protection  of  privacy  and 

12  data  security  to  provide  input  on  the  effective 

13  implementation    of   health    information  tech- 

14  nology  systems;  and 

15  (D)   develop   and  maintain  an  Internet 

16  website  that — 

17  (i)  pu})lishes  established  governance 

18  rules  (including  a  subsequent  appointment 

19  process); 

20  (ii)  publishes  a  business  plan; 

21  *  (iii)  publishes  meeting  notices  at  least 

22  14  days  prior  to  each  meeting; 

23  (iv)    publishes   meeting   agendas  at 

24  least  7  days  prior  to  each  meeting;  and 
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1  (V)    publishes   meeting-   materials  at 

2  least  3  days  prior  to  each  meeting". 

3  (2)  Llaiitatiox. — The  Partnership  shah  not 

4  meet  or  take  any  action  nntil  an  achisory  committee 

5  charter  has  been  filed  with  the  Secretaiy  and  with 

6  the  appropriate  committees  of  the  Senate  and  House 

7  of  Representatives  for  the  American  Health  Infor- 

8  niation  Community  described  in  section  203. 

9  (b)  ]\lEMBEESmp. — 

10  (1)  :\1eaibers. — The  members  of  the  Partner- 

1 1  sliip  shaU  consist  of  the  foUomng: 

12  (A)    Appointed    ^iembers. — The  ap- 

13  pointed  members  of  the  Partnership  shall  be 

14  appointed  as  foUoAvs: 

15  (i)  2  members  shah  be  appointed  by 

16  the  Secretaiy. 

17  ■  (h)  1  memlier  shah  l^e  appointed  by 

18  -      ■     the  majority  leader  of  the  Senate. 

19  (iii)  1  member  shall  be  appointed  by 

20  the  minority  leader  of  the  Senate. 

21  -       ■  (Ia')  1  member  shah  be  appointed  by 

22  the  Speaker  of  the  House  of  Representa- 

23  •  tiyes. 
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1  (v)  1  member  shall  be  appointed  by 

2  the  minority  leader  of  the  House  of  Rep- 

3  resentatives. 

4  (vi)  Seven  members  shall  be  appointed 

5  by  the  Comptroller  General  of  whom — 

6  (I)  one  member  shall  be  a  rep- 

7  resentative  of  consumer  or  patient  or- 

8  ganizations; 

9  (II)  one  member  shall  be  a  rep- 

10  resentative  of  organizations  with  ex- 

1 1  pertise  in  the  protection  of  privacy; 

12  (III)  one  member  shall  be  a  rep- 

13  resentative  of  organizations  with  ex- 

14  pertise  in  security; 

15  (IV)  one  member  shall  be  a  rep- 

16  resentative  of  health  care  providers; 

17  (V)  one  member  shall  be  a  rep- 

18  resentative  of  health  plans  or  other 

19  third  party  payers; 

20  (VI)  one  member  shall  be  a  rep- 

21  ,  resentative  of  information  technology 

22  vendors;  and 

23  (VII)  one  member  shall  be  a  rep- 

24  resentative  of  purchasers  or  employ- 

25  ers. 
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1  (B)  Xatiox.vl  rooRDiXAToK. — The  Xa- 

2  tioiial  Coordinator  shall  be  a  member  of  the 

3  Partnership  and  act  as  a  liaison  among  the 

4  Partnership,  the  eonmimiity,  and  the  Federal 

5  Government. 

6  (2)    ClLURPERSOX  AXD  (ILVIPxPERSOX.  

7  The  Partnersliip  shall  designate  one  meml3er  to 

8  senT  as  the  chairperson  and  one  meml^er  to  sen'e  as 

9  '  the  ^ice  chairperson  of  the  Partnership. 

10  (3)    P^VRTICIPATIOX. — [Members   shall   be  ap- 

11  pointed  under  paragraph  (1)(A).  and  the  Paitner- 

12  slup  shaU  develop  procedures  for  conducting  its  ac- 

13  ti^ities.  so  as  to  ensure  a  balance  among  various  see- 

14  tors  of  the  health  care  system  so  that  no  single  sec- 

15  tor  undulv  influences  the  recommendations  of  the 

16  Partnership. 

17  (4)  Ter^IS. — ^lembers  appointed  under  para- 

18  graph  (1)(A)  shall  senT  for  3  year  terms,  except 

19  that  any  member  appointed  to  fill  a  vacancy  for  an 

20  unexj^ired  term  shall  be  appointed  for  the  remainder 

21  of  such  term.  A  menil^er  may  sen^e  for  not  to  exceed 

22  180  days  after  the  ex}3iration  of  such  member's  term 

23  or  until  a  successor  has  been  appointed. 

24  (5)  Outside  ixa^ola^e^iext. — The  Partnership 

25  shall  ensure  an  adeciuate  opportunity  for  the  partiei- 
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1  pation  of  outside  advisors,  including  individuals  with 

2  expertise  in — 

3  (A)  the  protection  of  personal  health  infor- 

4  mation  privacy; 

5  (B)  personal  health  information  security; 

6  (C)  health  care  quality  and  patient  safety, 

7  including  individuals  with  expertise  in  utilizing 

8  health  information  technology  to  improve  health 

9  care  quality  and  patient  safety; 

10  (D)  medical  and  clinical  research  data  ex- 

11  change;  and 

12  (E)   developing  health  information  tech- 

13  nology  standards  and  new  health  information 

14  technology. 

15  (6)  Quorum. — Two-thirds  of  the  members  of 

16  the  Partnership  shall  constitute  a  quorum  for  the 

17  purpose  of  conducting  votes. 

18  (c)  Standards  and  Implementation  Specifica- 

19  TIONS. — 

20  (1)  Schedule. — Not  later  than  90  days  after 

21  the  date  of  enactment  of  this  title,  the  Partnership 

22  shall  develop  a  schedule  for  the  assessment  of  stand- 

23  ards  and  implementation  specifications  under  this 

24  section.  The  Partnership  shall  update  such  schedule 

25  annually.  The  Secretaiy  shall  publish  such  schedule 
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1  in  rhe  Federal  Eegister  and  on  the  Internet  wel^site 

2  of  tlie  DepaiTQient  of  Health  and  Human  Seniees. 

3  (2)   First  ixae  recoadiexdatii:>xs. — Con- 

4  sistent  with  the  schedule  piibhshed  under  para.gi'aph 

5  ili  and  not  later  than  1  year  after  date  of  enaet- 

6  nient  of  this  title,  the  Paitnership  shaU  recommend. 

7  and  the  Secretaiy  shah  review,  such  standards  and 

8  implementation  speciiications. 

9  3    OxLxOiXLi  szcOABiEXDATioxs. — The  Part- 

10  nership  shah  review  and  modify-.  a,s  appropiiate  but 

11  at  least  anniiahy.  adopted  standards  and  hnplemen- 

12  ration  sp^echications  and  contintie  to  reconmiend  ad- 

13  ditional  standards  and  im]:^!-r!:eri':ation  specifications. 

14  consistent  with  the  schedM.-  pMi.ashed  pm'siiant  to 

15  paragraph  tl'.   The  Secretaiy  shah  review  stich 

16  modifications  and  reconmiendations. 

17  i4'  Eecogvitiox  of  pei^'ate  exteties. — The 

18  Partnership,  in  cr-nsnltation  \^th  the  Secretary-,  may 

19  recognize  a  private  entity  or  entities  for  the  piu-pose 

20  of  developing  and  updating  standards  and  implemen- 

21  ration  sp^ecifications  to  achieve  imifoim  and  con- 

22  sistent  implement  a  tii^n  of  the  standards  adopted  by 

23  the  President  tmder  this  title.  Such  entity-  or  entities 

24  shah  make  recommendations  to  the  Paitnei-ship  con- 

25  sistent  with  this  section. 
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1  (5)  Publication. — ^All  recommendations  made 

2  by  the  Partnership  pursuant  to  this  section  shall  be 

3  published  in  the  Federal  Register  and  on  the  Inter- 

4  net  website  of  the  Office  of  the  National  Coordi- 

5  nator.  r 

6  (6)     Requirement    for    certain  rec- 

7  OMMENDATIONS. — The  Partnership  may  not  issue 

8  any  recommendation  that  affects  an  individual's 

9  right  to  health  information  privacy  unless  such  rec- 

10  ommendation  receives  the  affirmative  support  of  the 

11  consumer  or  patient  organization  representative  of 

12  the     Partnersliip     appointed     under  subsection 

13  (b)(l)(A)(^d)(I). 

14  (7)  Pilot  testing. — The  Secretaiy  may  con- 

15  duct,  or  recognize  a  private  entity  or  entities  to  con- 

16  duct,  a  pilot  project  to  test  the  standards  and  imple- 

17  mentation  specifications  developed  under  this  section 

18  in  order  to  provide  for  the  efficient  implementation 

19  of  the  standards  and  implementation  specifications 

20  described  in  this  subsection  prior  to  issuing  such 

21  recommendations. 

22  (8)  Public  input. — The  Partnership  shall  con- 

23  duct  open  public  meetings  and  develop  a  process  to 

24  allow  for  public  comment  on  the  schedule  and  rec- 

25  ommendations  described  in  tliis  section.  Such  proe- 
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1  ess  shall  ensure  that  such  comments  will  he  sub- 

2  mitted  Anthin  30  days  of  the  pul)heation  of  a  rec- 

3  oniniendation  under  this  section. 

4  (9)  Federal  action. — Not  later  than  90  days 

5  after  the  issuance  of  a  recommendation  from  the 

6  Partnership  under  this  sul^section.  the  Secretan^,  in 

7  collaboration  with  representatives  of  other  relevant 

8  Federal  agencies  as  determined  appropriate  hy  the 

9  President,  shall  jointly  review  such  recommendation. 

10  If  appropriate,  the  President  shall  provide  for  the 

11  adoption  by  the  Federal  Government  of  any  stand- 

12  ard  or  implementation  specification  contained  in 

13  such  recommendation  only  after  providing  an  oppor- 

14  tunity  for  public  comment  in  accordance  ^^itll  section 

15  553  of  title  5.  United  States  Code.  Such  determina- 

16  tion  shaU  be  published  in  the  Federal  Register  and 

17  on  the  Internet  website  of  the  Office  of  the  National 

18  Coordinator  A^ithin  30  days  after  such  determination 

19  is  made. 

20  (10)  Consistency. — The  standards  and  imple- 

21  mentation  specifications  described  in  this  subsection 

22  shall  be  consistent  vith  the  privacy  protections  in 

23  title  I  and  the  standards  for  information  trans- 

24  actions  and  data  elements  developed  pursuant  to  the 

25  reg-ulations  promulgated  under  section  264(c)  of  the 
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1  Health  Insurance  Portability  and  Accountability  Act 

2  of  1996. 

3  (d)  Certification. — 

4  (1)  De\^L(3PING  criteria. — The  Partnership, 

5  in  consultation  with  the  Secretary,  may  recognize  a 

6  private  entity  or  entities  for  the  purpose  of  devel- 

7  oping'  and  recommending  to  the  Partnership  criteria 

8  to  certify  that  appropriate  categories  of  health  infor- 

9  mation  technology  products  that  claim  to  be  in  com- 

10  pliance  with  applicable  standards  and  implementa- 

11  tion  specifications  adopted  under  this  title  have  es- 

12  tablished  such  compliance. 

13  (2)  AI30PTI0N  OF  CRITERIA. — The  Secretary, 

14  based  upon  the  recommendations  of  the  Partnership, 

15  shall  review,  and  if  appropriate,  adopt  such  criteria. 

16  (3)  Conducting  certification. — The  Sec- 

17  retaiy  may  recognize  a  private  entity  or  entities  to 

18  conduct  the  certifications  described  under  paragraph 

19  (1)  using  the  criteria  adopted  by  the  Secretary 

20  under  this  subsection. 

21  (e)  Rule  of  Construction. — Nothing  in  this  sec- 

22  tion  shall  be  construed  as  disrupting  existing  activities  de- 

23  scribed  in  subsection  (c)  or  (d). 

24  (f)  Requirement  to  Consider  Recommenda- 

25  TIONS. — In  cariying  out  the  activities  described  in  sub- 
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1  sections  (c)  and  (d).  the  Partnership  shall  ad()i)t  and  inte- 

2  grate  the  recommendations  of  the  American  Health  Infor- 

3  mation  Comnmnity  that  are  adopted  by  the  Secretary. 

4  ig)  AUTHOKIZATIOX  OF  APPROPRLITIOXS. — There 

5  are  authorized  to  be  appropriated  to  carry  ont  this  section. 

6  $2,000,000  for  each  of  the  fiscal  years  2009  and  2010. 

7  SEC.  203.  AMERICAN  HEALTH  INFORMATION  COMMUNITY 

8  POLICIES. 

9  (a)  ESTABLismiEXT. — There  is  established  a  com- 

10  niittee  to  be  kno^Mi  as  the  American  Health  Information 

11  Comnmnity  (in  this  section  referred  to  as  the  "Coimmi- 

12  nity"").  The  Conunnnity  shall — 

13  (1)  provide  advice  to  the  Secretaiy  and  the 

14  heads  of  any  relevant  Federal  agencies  concerning 

15  the  policy  considerations  related  to  health  informa- 

16  tion  technology; 

17  (2)  not  later  than  1  year  after  the  date  of  en- 

18  actment  of  this  title,  and  annually  thereafter,  make 

19  recommendations  concerning  a  policy  framework  for 

20  the  development  and  adoption  of  a  natiom\-ide  inter- 

21  operable  health  information  tecluiology  infi^astruc- 

22  ture; 

23  (3)  not  later  than  1  year  after  the  date  of  en- 

24  actment  of  tliis  title,  and  annuaUy  thereafter,  make 

25  recommendation   concerning   national   pohcies  for 
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1  adoption  by  the  Federal  Government,  and  voluntary 

2  adoption  by  private  entities,  to  support  the  wide- 

3  spread  adoption  of  health  information  technology, 

4  including — 

5  (A)  the  protection  of  personal  health  infor- 

6  mation,  including  policies  concerning  the  indi- 

7  vidual's  ability  to  control  the  acquisition,  uses, 

8  and  disclosures  of  personal  health  information; 

9  (B)  methods  to  protect  personal  health  in- 

10  formation  from  improper  use  and  disclosures 

1 1  •  and  methods  to  notify  patients  if  their  personal 

12  health  information  is  wrongfully  disclosed; 

13  (C)  methods  to  facilitate  and  secure  access 

14  to  such  individual's  personal  health  information; 

15  (D)  the  appropriate  uses  of  a  nationwide 

16  personal  health  information  infrastructure  in- 

17  eluding — 

18  (i)  the  collection  of  quality  data  and 

19  pubhc  reporting; 

20  (ii)  biosui'veillance  and  public  health; 

21  ,  (iii)  medical  and  clinical  research;  and 

22  (iv)  drug  safety; 

23  (E)  fostering  the  public  understanding  of 

24  health  information  technology; 
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1  • (F)  strategies  to  enhance  the  use  of  health 

2  information  teclniology  in  preventing  and  man- 

3  aging  chronic  disease;  ' 

4  (G)  pohcies  to  incorporate  the  input  of  em- 

5  ployees  of  health  care  providers  in  the  design 

6  and  implementation  of  health  information  tech- 

7  ;i  '      nology  systems;  and 

8  (H)  other  policies  determined  to  be  nec- 

9  essary  by  the  Connnunity;  and 

10  (4)  serve  as  a  forum  for  the  participation  of  a 

11  broad  range  of  stakeholders  to  provide  input  on  im- 

12  proving  the  effective  implementation  of  health  infor- 

13  mation  technology  systems. 


14  The  Community  may  not  make  any  recommendation  that 

15  affects  an  indi\dduars  right  to  health  information  privacy 

16  unless  the  recommendation  receives  the  affirmative  sup- 

17  port  of  the  consumer  or  patient  organization  representa- 

1 8  tive  appointed  under  subsection  (c)  ( 1 )  (A)  (viii) (I) . 

19  (b)  Publication. — ^All  recommendations  made  by 

20  the  Community  pursuant  to  this  section  shall  be  published 

21  in  the  Federal  Register  and  on  the  Internet  website  of  the 

22  National  Coordinator.  The  Secretaiy  shall  re\dew  all  rec- 

23  ommendations  and  determine  wliich  reconnnendations 

24  shall  be  endorsed  by  the  Federal  Government  and  such 

25  determination  shall  be  published  on  the  Internet  website 
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1  of  the  Office  of  the  National  Coordinator  after  an  oppor- 

2  tunity  for  pubhc  comment  in  accordance  with  section  553 

3  of  title  5,  United  States  Code.    :  •  ^ 


4  (c)  Meivibership. —  •• 

5  (1)  Members. — The  members  of  the  Commu- 

6  nity  shall  consist  of  the  following: 

7  (A)    Appointed    members. — The  ap- 

8  pointed  members  of  the  Community  shall  be  ap- 

9  pointed  as  follows: 

10  (i)  3  members  shall  be  appointed  by 

11  the  Secretary,  1  of  whom  shall  be  a  rep- 

12  resentative  from  the  Department  of  Health 

13  and  Human  Services. 

14  (ii)  1  member  shall  be  appointed  by 

15  the  Secretary  of  Veterans  Affairs  who  shall 

16  represent  the  Department  of  Veterans  Af- 

17  fairs. 

18  (iii)  1  member  shall  be  appointed  by 

19  the  Secretary  of  Defense  who  shall  rep- 

20  resent  the  Department  of  Defense. 

21  ,  (iv)  1  member  shall  be  appointed  by 

22  the  majority  leader  of  the  Senate. 

23  (v)  1  member  shall  be  appointed  by 

24  the  minority  leader  of  the  Senate. 

h.  ?  :? 
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1  l?^Vi;     ■  '       (vi)  1  member  shall  be  appointed  by 

2  :j'  ^f-  .•     the  Speaker  of  the  House  of  Representa- 

3  .  lives. 

4  M-  r  Vi,;  (vii)  1  member  shall  be  appointed  by 

5  the  minority  leader  of  the  House  of  Rep- 

6  resentatives. 

7  (viii)    Nine   members   shall   be  ap- 

8  ^       -  pointed  by  the  Comptroller  General  of 

9  ■  i  whom — 

10  ^r,  (I)  one  member  shah  be  advo- 

11  M-;  ■  .  cates  for  patients  or  consumers; 

12  (II)  one  member  shall  represent 

13  :  ,  health  care  providers; 

14  -  (III)  one  member  shall  be  from  a 

15  f-      •  ?  '      labor  organization  representing  health 

16  care  workers; 

17  1  '   '       (IV)  one  member  shall  have  ex- 

18  J-   -  .  pertise  in  the  protection  of  privacy 

19  i  ,  ■-.     ^  '    and  data  security; 

20  -  (V)  one  member  shall  have  exper- 

21  -  tise  in  improving  the  health  of  vulner- 

22  able  populations; 

23  7,  -  .     '  (VI)  one  member  shall  represent 

24  —   .    .  health  plans  or  other  third  party  pay- 

25  :,-  ers; 


•mi  5442  ffl 


122 

1  (VII)  one  member  shall  represent 

2  information  technology  vendors;  1 

3  (VIII)    one   member   shall  rep- 

4  resent  purchasers  or  employers;  and 

5  (EX)  one  member  shall  have  ex- 

6  pertise  in  health  care  quality  measure- 

7  ment  and  reporting. 

8  (B)  National  coordinator. — The  Na- 

9  tional  Coordinator  shall  be  a  member  of  the 

10  Community  and  act  as  a  liaison  among  the 

11  Community,  the  partnership,  and  the  Federal 

12  Government. 

13  (2)  Chairperson  and  vice  chairperson. — 

14  The  Community  shall  designate  one  member  to  serve 

15  as  the  chairperson  and  one  member  to  serve  as  the 

16  \dce  chairperson  of  the  Community. 

17  (3)    Participation. — The   members   of  the 

18  Community  appointed  under  paragraph  (1)  shall 

19  represent  a  balance  among  various  sectors  of  the 

20  health  care  system  so  that  no  single  sector  unduly 

21  influences  the  recommendations  of  the  Community. 

22  (4)  Terms.— 

23  (A)  In  general. — The  terms  of  members 

24  of  the  Community  shall  be  for  3  years  except 

25  that  the  Comptroller  General  shall  designate 
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1  staggered  terais  for  the  members  first  ap- 

2  pointed.  -  . 

3  (B)  Vacancies. — Any  member  appointed 

4  to  fill  a  vacancy  in  the  membership  of  the  Com- 

5  mmiits^  that  occui's  prior  to  the  exjoiration  of 

6  the  teiTTL  for  which  the  member's  predecessor 

7  was  appointed  shall  be  appointed  only  for  the 

8  remainder  of  that  term.  A  member  may  sen^e 

9  after  the  exi3iration  of  that  member's  term  until 

10  a  successor  has  been  appointed.  A  vacancy  in 

11  the  Connnnnity  shall  be  filled  in  the  manner  in 

12  wliich  the  original  appomtment  was  made. 

13  (5)  OuTSroE  im^OL^^^iENT. — The  Community 

14  shall  ensure  an  adequate  opportunity  for  the  partici- 

15  pation  of  outside  advisors,  mcluduig  mdividuals  with 

16  expertise  m — 

17  (A)  the  protection  of  health  uiformation 

18  privacy  and  securitA^; 

19  (B)  improwig  the  health  of  vuhierable 

20  populations; 

21  (C)  health  care  quahtv^  and  patient  safety, 

22  includuig  individuals  with  expertise  in  measure- 

23  ment  and  the  use  of  health  information  tech- 

24  nologA^  to  captuiT  data  to  miprove  health  care 

25  quaht^^  and  patient  safety;        ^  - 
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1  (D)  ethics,  including-  the  ethical  standards 

2  of  professional  medical  and  mental  health  prac- 

3  titioner  associations; 

4  (E)  medical  and  clinical  research  data  ex- 

5  change; 

6  (F)   developing  health  information  tech- 

7  nology  standards  and  new  health  information 

8  technology;  and 

9  (G)  the  operation  of  a  State  or  local  health 

10  information  network. 

11  (6)  Quorum. — Ten  members  of  the  Community 

12  shall  constitute  a  quorum  for  purposes  of  voting,  but 

13  a  lesser  number  of  members  may  meet  and  hold 

14  hearings.  .  ' 

15  (d)  Federal  Agencies. — 

16  (1)  Staff  of  other  federal  agencies. — 

17  Upon  the  request  of  the  Community,  the  head  of  any 

18  Federal  agency  may  detail,  without  reimbursement, 

19  any  of  the  personnel  of  such  agency  to  the  Commu- 

20  nity  to  assist  in  carrying  out  the  duties  of  the  Com- 

21  munity.  Any  such  detail  shall  not  interrupt  or  other- 

22  wise  affect  the  civil  service  status  or  pri\dleges  of  the 

23  Federal  employee  involved. 

24  (2)  Technical  assistance. — Upon  the  re- 

25  quest  of  the  Community,  the  head  of  a  Federal 
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1  agency  shall  provide  such  technical  assistance  to  the 

2  Community  as  the  Community  determines  to  be  nec- 

3  essary  to  carry  out  its  duties. 

4  (3)  Other  resources. — The  Community  shall 

5  have  reasonable  access  to  materials,  resources,  sta- 

6  tistical  data,  and  other  information  from  the  Library 

7  of  Congress  and  agencies  and  elected  representatives 

8  of  the  executive  and  legislative  branches  of  the  Fed- 

9  eral  Government.  The  chairperson  or  vice  chair- 

10  person  of  the  Community  shall  make  requests  for 

1 1  such  access  in  writing  when  necessary. 

12  (e)  Application  of  FACA. — The  Federal  Advisory 

13  Committee  Act  (5  U.S.C.  App.)  shall  apply  to  the  Commu- 

14  nity,  except  that  the  term  pro^dded  for  under  section 

15  14(a)(2)  of  such  Act  shall  be  not  longer  than  7  years. 

16  (f)  Sunset. — The  provisions  of  this  section  shall  not 

17  apply  after  September  20,  2014. 

18  (g)  Authorization  op  Appropriations. — There  is 

19  authorized  to  be  appropriated  to  carry  out  this  section, 

20  $2,000,000  for  each  of  fiscal  years  2009  and  2010. 

21  SEC.  204.  RESEARCH  ACCESS  TO  HEALTH  CARE  DATA  AND 

22  REPORTING  ON  PERFORMANCE. 

23  The  Secretary  shall  permit  researchers  that  meet  cri- 

24  teria  used  to  evaluate  the  appropriateness  of  the  release 
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1  data  for  research  purpose  (as  established  by  the  Sec- 

2  retary)  to — 

3  (1)  have  access  to  all  Federal  health  care  data; 

4  and 

5  (2)  report  on  the  performance  of  health  care 

6  providers  and  suppliers,  including  reporting  in  a 

7  pro\dder-  or  supplier-identifial:>le  format. 

8  Subtitle  B— Facilitating  the  Wide- 

9  spread  Adoption  of  Interoper- 

10  able  Health  Information  Tech- 

11  nology 

12  SEC.  211.  FACILITATING  THE  WIDESPREAD  ADOPTION  OF 

13  INTEROPERABLE     HEALTH  INFORMATION 

14  TECHNOLOGY. 

15  (a)  Competitive  Grants  for  Adoption  of  Tech- 

16  NOLOGY. — 

17  (1)  In  GENERAIj. — The  Seeretar}^  may  award 

18  competitive  grants  to  eligible  entities  to  facilitate  the 

19  purchase  and  enhance  the  utilization  of  qualified 

20  health  information  technology  systems  (as  defined  in 

21  section  213)  to  improve  the  quality  and  efficiency  of 

22  health  care. 

23  (2)  Eligibility. — To  be  eligil^le  to  receive  a 

24  grant  under  paragraph  ( 1 )  an  entity  shall — 


•HR  5442  IH 


127 

1  (A)  .submit  to  tlie  Secretaiy  an  application 

2  at  STLcli  time,  in  such  maimer,  and  containing 

3  sucli  infr>rmation  as  the  Secretaiy  may  require: 

4  '  B !  siilimit  to  the  Secretaiy  a  strategic 

5  plan  foT  tlie  unplemeiitatioii  of  data  sharing 

6  and  interciperabilir.'  meastu-es: 

7  (C)  adopt  the  standards  adopted  by  the 

8  Federal  C-rOvermnent  under  section  301; 

9  (Di    implement    the    measimes  adopted 

10  under  section  221  and  report  to  the  Secretaiy 

11  on  such  measures; 

12  -      {E  j  comply  mth  the  reqmi'ements  of  title 

13  I; 

14  'Fi  take  hito  account  the  mput  of  employ- 

15  ees  and  staff"  who  are  dh-ectly  mvolved  m  pa- 

16  tient  care  of  such  health  care  providers  in  the 

17  design,  implementation,  and  use  of  qualified 

18  health  information  techiiolog}^  systems: 

19  (CtI  demonstrate  sigihficant  financial  need; 

20  iHi  proxide  matching  funds  in  accordance 

21  mth  paragTaph  (  4)  :  and 

22  (I  )  be  a— 

23  ,  (i)  pubhc  or  not  for  profit  hospital; 
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1  (ii)  federally  qualified  health  center 

2  (as  defined  in  section  1861(aa)(4)  of  the 

3  Social  Security  Act); 

4  (iii)  individual  or  group  practice  (or  a 

5  consortium  thereof);  or 

6  (iv)  another  health  care  provider  not 

7  described  in  clause  (i)  or  (ii); 

8  that  sei-ves  medically  undeserved  communities. 

9  (3)  Use  of  funds. — ^Amounts  received  under  a 

10  grant  under  this  subsection  shall  be  used  to — 

11  (A)   facilitate  the  purchase  of  qualified 

12  health  information  technology  systems; 

13  (B)  train  personnel  in  the  use  of  such  sys- 

14  terns ; 

15  (C)  enhance  the  utilization  of  qualified 

16  health  information  technology  systems  (which 

17  may  include  activities  to  increase  the  awareness 

18  among  consumers  of  health  care  privacy  protec- 

19  tions);  or 

20  (D)  improve  the  prevention  and  manage- 

21  ment  of  chronic  disease. 

22  (4)  Matcihing  requirement. — To  be  eligible 

23  for  a  grant  under  this  subsection  an  entity  shall  con- 

24  tribute  non-Federal  contributions  to  the  costs  of  car- 

25  lying  out  the  activities  for  which  the  grant  is  award- 
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ed  ill  an  aiiioiiiiT  equal  to  -SI  for  each  S3  of  Federal 
funds  provided  imder  the  grant. 

(5)  PREFEREXCE  IX  AAV.VEDIXG  GRANTS. — In 
awarding  grants  under  tliis  subsection  tlie  Secretaiy 
shall  give  preference  to — 

(A)  eligible  entities  that  will  improve  the 
degree  to  winch  such  entity  vill  linlv  the  quali- 
fied health  information  technology  system  to 
local  or  regional  health  information  plan  or 
plans:  and 

(B)  respect  to  awards  made  for  the 
piupose  of  pro^ichng  care  in  an  outpatient  med- 
ical setting,  entities  that  organize  their  prac- 
tices as  a  patient-centered  medical  home. 

(b)  Co:^ipetitrt:  Gkixts  fur  the  Deat:lopaiext 
OF  State  Loax  Progkiais  To  Facilitate  the  AVide- 
spREAD  Adoption  of  Health  Ixtor:\iatiox  Tech- 

XOLOGY. — 

( 1 )  Ix  GEX'EiL-vL. — The  Secretaiy  may  award 
competitive  grants  to  States  for  the  establislniieiit  of 
State  programs  for  loans  to  health  care  providers  to 
facilitate  the  purchase  and  enliance  the  utilization  of 
ciualified  lieahh  mformation  technology. 

(2)  Establishaiext  of  fuxd. — To  be  ehgible 
to  receiA'e  a  competitive  grant  imder  this  subseetiou, 

.HR  5442  m  •  '  •  '  ^- 


130 

1  a  State  shall  establish  a  qualified  health  information 

2  technology  loan  fund  (referred  to  in  this  subsection 

3  as  a  "State  loan  fund")  and  comply  with  the  other 

4  requirements  contained  in  this  subsection.  Amounts 

5  received  under  a  grant  under  this  subsection  shall  be 

6  deposited  in  the  State  loan  fund  established  by  the 

7  State.  No  funds  authorized  by  other  pro^dsions  of 

8  this  title  to  be  used  for  other  purposes  specified  in 

9  this  title  shall  be  deposited  in  any  such  State  loan 

10  fund. 

11  (3)  Eligibility. — To  be  eligible  to  receive  a 

12  grant  under  paragraph  (1)  a  State  shall — 

13  (A)  submit  to  the  Secretary  an  application 

14  at  such  time,  in  such  manner,  and  containing 

15  such  information  as  the  Secretary  may  require; 

16  (B)  submit  to  the  Secretary  a  strategic 

17  plan  in  accordance  with  paragraph  (4); 

18  (C)  establish  a  qualified  health  information 

19  technology  loan  fund  in  accordance  with  para- 

20  graph  (2); 

21  (D)  require  that  health  care  providers  re- 

22  ceiving  loans  under  the  grant — 

23  (i)  link,  to  the  extent  practicable,  the 

24  qualified  health  information  system  to  a 
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1  local  or  regiorLal  healtli  infoiTiiation  net- 

3  (ii)    consult,    as    needed,    vdth  the 

4  Health  Information  Teclniolog^'  Resomx-e 

5  Center  established  in  section  914(d)  to  ac- 

6  cess  the  knoAviedge  and  ex[>erience  of  exist- 

7  ing  initiatives  regarding  the  snccessfol  un- 

8  '  "  plementation  and  effective  use  of  health  hi- 

9  formation  technology; 

10  (iii)  agree  to  notify  hididdnals  if  their 

11  personal  health  information  is  m-ongfolly 

12  disclosed:  and 

13  (iv)  take  into  account  the  input  of  em- 

14  ployees  and  staff  who  ai^e  dii^ectly  uiYohred 

15  in  patient  care  of  such  health  care  pro- 

16  viders  hi  the  design  and  implementation 

17  -  and  use  of  qualified  health  infonnation 

18  technology  systems; 

19  (E)  requii'e  that  health  care  providers  re- 

20  cehiiig  loans  under  the  gi^ant  adopt  the  stand- 

2 1  ards  adopted  by  the  Federal  G-ovemment  under 

22  section  301: 

23  (F)  requh-e  that  health  care  providers  re- 

24  ~     ceidng  loans  under  the  gi^ant  implement  the 
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1  measures  adopted  under  section  221  and  report 

2  to  the  Secretary  on  such  measures;  and 

3  (G)  provide  matching  fiinds  in  accordance 

4  wth  parag-raph  (8). 

5  (4)  Strategic  plan. — 

6  (A)  In  general. — State  that  receives  a 

7  grant  under  this  subsection  shall  annually  pre- 

8  pare  a  strategic  plan  that  identifies  the  in- 

9  tended  uses  of  amounts  available  to  the  State 

10  loan  fund  of  the  State. 

11  (B)  Contents. — strategic  plan  under 

12  subparagraph  (A)  shall  include — 

13  (i)  a  list  of  the  projects  to  be  assisted 

14  through  the  State  loan  fund  in  the  first 

15  fiscal  year  that  begins  after  the  date  on 

16  which  the  plan  is  submitted; 

17  (ii)  a  description  of  the  criteria  and 

18  methods  established  for  the  distribution  of 

19  funds  from  the  State  loan  fund; 

20  (iii)  a  description  of  the  financial  sta- 

21  *  tus  of  the  State  loan  fiuid  and  the  short- 

22  term  and  long-term  goals  of  the  State  loan 

23  fund;  and 

24  (iv)  a  description  of  the  strategies  the 

25  State  wiW  use  to  address  challenges  in  the 
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1  a' :    "  :  health  hif'cirmation  teelmolog}^ 

2  due  to  hmited  broadband  access. 

3  (5)  Use  of  fiends. — 

4  'A'  Lx  GEXEEAL. — ^Aiiioimts  deposited  m  a 

5  State  loan  fund.  uielii(:hng  loan  repayments  and 

6  interest  earned  on  such  amoimts.  shall  be  used 

7  only  for  awardhig  loans  or  loan  guarantees,  or 

8  as  a  soni'ce  of  resen^e  and  secimt}'  for  ie^^erag-ed 

9  loans,  the  proceeds  of  which  are  deposited  in 

10  the  State  loan  fund  estalilished  imder  para- 

11  gi'aph  ill.  Loans  imder  tins  section  may  be 

12  nsed  by  a  health  care  provider  to — 

13  til  facihtate  the  piux-hase  of  qualified 

14  health  information  teclniology  systems: 

15  (ul  enhance  the  utilization  of  quahfied 

16  health    information    technolog^^  s;s^tems 

17  (whieh  may  include  actiyities  to  increase 

18  ■  the  awareness  among  consiuners  of  health 

19  eai^e  of  privacy  protections  and  privacy 

20  lights);  or 

21  (iii)  train  personnel  in  the  use  of  such 

22  systems. 

23  ^:B  i  Ldhtation. — -Amounts  received  by  a 

24  State  imder  this  sul^section  may  not  be  used — 
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1  (i)  for  the  purchase  or  other  acquisi- 

2  tion  of  any  health  information  technology 

3  system  that  is  not  a  qualified  health  infor- 

4  mation  technology  system; 

5  (ii)  to  conduct  activities  for  which 

6  Federal  fiinds  are  expended  under  this 

7  title,  or  the  amendments  made  by  this 

8  title;  or 

9  (iii)  for  any  purpose  other  than  mak- 

10  iug  loans  to  eligible  entities  under  this  sec- 

11  tion. 

12  (6)  Types  op  asslstance. — Except  as  other- 

13  wise  limited  by  applicable  State  law,  amounts  depos- 

14  ited  into  a  State  loan  fund  under  this  subsection 

15  may  only  be  used  for  the  following: 

16  (A)  To  award  loans  that  comply  with  the 

17  following: 

18  (i)  The  interest  rate  for  each  loan 

19  shall  be  less  than  or  equal  to  the  market 

20  interest  rate. 

21  ,  (ii)  The  principal  and  interest  pay- 

22  ments  on  each  loan  shall  commence  not 

23  later  than  1  year  after  the  date  on  which 

24  the  loan  was  awarded,  and  each  loan  shall 
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1  -  be  fully  amortized  not  later  than  10  years 

2  '  after  such  date. 

3  -  i  (iii)  The  State  loan  fund  shaU  be 

4  credited  mth  aU  pa^i^nents  of  prmcipal  and 

5  interest  on  each  loan  awarded  from  the 

6  fund. 

7  (B)  To  guarantee,  or  purchase  insurance 

8  for,  a  local  obhgation  (aU  of  the  proceeds  of 

9  which  finance  a  project  ehgible  for  assistance 

10  under  tliis  subsection)  if  the  guarantee  or  pur- 

11  chase  would  improve  credit  market  access  or  re- 

12  duce  the  interest  rate  apphcable  to  the  obhga- 

13  tion  uiYolved. 

14  (C)  As  a  source  of  revenue  or  security  for 

15  the  pawient  of  prmcipal  and  interest  on  rev- 

16  euue  or  general  obligation  bonds  issued  by  the 

17  State  if  the  proceeds  of  the  sale  of  the  bonds 

18  will  be  deposited  mto  the  State  loan  fund. 

19  (D)  To  earn  mterest  on  the  amomits  de- 

20  posited  into  the  State  loan  fimd. 

21  (7)     Administration     of     state  loan 

22  FUNT3S. — 

23  (A)  Combined  financial  ADmxiSTRA- 

24  TION. — ^A  State  mRy  (as  a  convenience  and  to 

25  avoid  unnecessaiy  administrative  costs)  com- 


•HR  5442  m 


136 

1  bine,  in  accordance  with  State  law,  the  financial 

2  administration  of  a  State  loan  fund  established 

3  under  this  subsection  with  the  financial  admin- 

4  istration  of  any  other  revolving  fund  established 

5  by  the  State  if  not  otherwise  prohibited  by  the 

6  law  under  which  the  State  loan  fund  was  estab- 

7  lished. 

8  (B)  Cost  of  administering  fund. — 

9  Each  State  may  annually  use  not  to  exceed  4 

10  percent  of  the  funds  provided  to  the  State 

11  under  a  grant  under  this  subsection  to  pay  the 

12  reasonable  costs  of  the  administration  of  the 

13  progi^ams  under  this  section,  including  the  re- 

14  coveiy  of  reasonable  costs  expended  to  estabhsh 

15  a  State  loan  fund  which  are  incurred  after  the 

16  date  of  enactment  of  this  title. 

17  (C)  Guidance  and  regui^tions. — The 

18  Secretary  shall  publish  guidance  and  promul- 

19  gate  regulations  as  may  be  necessary  to  carry 

20  out  the  provisions  of  this  subsection,  includ- 

21  ing — 

22  (i)   provisions   to   ensure   that  each 

23  State  commits  and  expends  fiinds  allotted 

24  to  the  State  under  this  subsection  as  effi- 
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1  eiently  as  possible  in  accordance  ^^ith  this 

2  "  title  and  applicable  State  laws;  and 

3  (ii)  guidance  to  prevent  waste,  fraud, 

4  "  and  abuse. 

5  (D)  Prr^ate  sector  coxtributioxs. — 

6  •  (i)  Ix  GEXERAL. — State  loan  fund 

7  r' '  established  under  this  subsection  may  ac- 

8  cept  contributions  fi^om  private  sector  enti- 

9  ties,  except  that  such  entities  may  not 

10  specif^'  the  recipient  or  recipients  of  any 

11  -   ^  loan  issued  under  tliis  subsection. 

12  (u)    Availability    of  ixfor^li- 

13  Tiox. — State  shall  make  pubhcly  avail- 

14  able  the  identity  of,  and  amount  contril> 

15  uted  by,  any  jDrivate  sector  entity  under 

16  clause  (i)  and  may  issue  letters  of  com- 

17  mendation  or  make  other  awards  (that 

18  have  no  financial  value)  to  am^  such  entity. 

19  (8)  :\Iatchixg  require^iexts. — 

20  (A)  Ix  GEX'ERAL. — The  Secretaiy  may  not 

21  make  a  grant  under  paragraph  (1)  to  a  State 

22  miless  the  State  agrees  to  make  available  (di- 

23  rectly  or  through  donations  fi'om  pubhc  or  pri- 

24  vate  entities)  non-Federal  contributions  in  cash 

25  toward  the  costs  of  the  State  program  to  be  un- 
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1  plemented  under  the  grant  in  an  amount  equal  ( 

2  to  not  less  than  $1  for  each  $1  of  Federal  \ 

3  funds  provided  under  the  grant.  '  ; 

4  (B)  Determination  of  i^MOUNT  of  non- 

5  FEDERiVlj  CONTRIBUTION. — In  determining  the 

6  amount  of  non-Federal  contributions  that  a 

7  State  has  provided  pursuant  to  subparagraph 

8  (A),    the    Secretary    may    not    include    any  -i 

9  amounts  provided  to  the  State  by  the  Federal  : 

10  Goverimient. 

11  (9)  Preference  in  awarding  grants. — The  [ 

12  Secretary  may  give  a  preference  in  awarding  grants 

13  under  this  subsection  to  States  that  adopt  value- 

14  based  purchasing  programs  to  improve  health  care 

15  quality. 

16  (10)  Reports. — The  Secretary  shall  annually 

17  submit  to  the  Committee  on  Health,  Education, 

18  Labor,  and  Pensions  and  the  Committee  on  Finance 

19  of  the  Senate,  and  the  Committee  on  Energy  and 

20  Commerce  and  the  Committee  on  Ways  and  Means 

21  of  the  House  of  Representatives,  a  report  summa- 

22  rizing  the  reports  received  by  the  Secretary  from 

23  each  State  that  receives  a  grant  under  this  sub- 

24  section. 
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1  (c)  CoMPBTiTR^  Grants  for  the  Implementa- 

2  TiON  OF  Regional  or  Local  HEAi/ni  Information 

3  Technology  Plans. — 

4  (1)  In  general. — The  Secretaiy  may  award 

5  competitive  gi-ants  to  eligible  entities  to  implement 

6  regional  or  local  health  information  plans  to  improve 

7  health  care  quality  and  efficiency  through  the  elec- 

8  tronic  exchange  of  personal  health  information  pur- 

9  suant  to  the  standards,  implementation  specif ica- 

10  tions  and  certification  criteria,  and  other  require- 

11  ments  adopted  by  the  Secretaiy  under  section  221. 

12  (2)  Eligibility. — To  be  ehgible  to  receive  a 

13  grant  under  paragraph  (1)  an  entity,  which  may  be 

14  a  health  record  bank  or  trust,  shall — 

15  (A)  demonstrate  financial  need  to  the  Sec- 

16  retary; 

17  (B)  demonstrate  that  one  of  its  principal 

18  missions  or  purposes  is  to  use  information  tech- 

19  iiology  to  improve  health  care  quality  and  effi- 

20  ciency; 

21  (C)  adopt  bylaws,  memoranda  of  under- 

22  standing,  or  other  charter  documents  that  dem- 

23  onstrate  that  the  governance  structure  and  de- 

24  cision  making  processes  of  such  entity  allow  for 
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1  participation  on  an  ongoing  basis  by  multiple 

2  stakeholders  within  a  community,  including — 

3  (i)   health  care  providers  (including 

4  health  care  providers  that  provide  services 

5  to    low    income    and   undeserved  popu- 

6  lations); 

7  (ii)  pharmacists  or  pharmacies; 

8  (iii)  health  plans; 

9  (iv)  health  centers  (as  defined  in  sec- 

10  tion  330(b))  and  federally  qualified  health 

11  centers  (as  defined  in  section  1861(aa)(4) 

12  of  the   Social   Security  Act)   and  rural 

13  health    clinics    (as    defined    in  section 

14  1861(aa)  of  the  Social  Security  Act),  if 

15  such  centers  or  clinics  are  present  in  the 

16  community  sensed  by  the  entity; 

17  (v)  patient  or  consumer  organizations; 

18  (\i)   organizations   dedicated  to  im- 

19  pro^dng  the  health  of  vulnerable  popu- 

20  lations; 

21  »  (\ii)  employers; 

22  (viii)   State  or  local  health  depart- 

23  ments;  and 
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1  I  ix  I  any  other  health  care  providers  or 

2  other  entities,  as  determined  appropriate 

3  by  the  Secretaiy: 

4  iDi  demonstrate  the  panicipation.  to  the 

5  extent  practicable,  of  stakeholders  in  the  elec- 

6  tronic  exchange  of  personal  health  uif^rmation 

7  ■  T^dthm  the  local  or  regional  plan  ptu^snant  to 

8  subparagTaph  iC); 

9  I E 1  adopt  nonchscrirnination  and  conflict  of 

10  uiterest  pohcies  that  demonstrate  a  cormnit- 

11  ment  to  open.  fau\  and  mjnchscriminatoiy  par- 

12  ticipation  in  the  health  information  plan  by  all 

13  stakeholders: 

14  iF)  adopt  the  standards  adopted  by  the 

1 5  Secretary-  imder  section  301: 

16  iCti  reqiih^e  that  health  care  providers  re- 

17  ceiling  such  grants — 

18  ill  unpleinent  the  measiu-es  adopted 

19  imder  section  221  and  repon  to  the  Sec- 

20  retaiy  on  such  measures :  and 

21  (u)  take  into  account  the  input  of  em- 

22  ployees  and  staff  who  are  dh-ectly  m^-oh-ed 

23  m  patient  care  of  such  health  care  pro- 

24  —  Aiders  in  the  design,  implementation,  and 
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1  use  of  health  information  technology  sys- 

2  terns ;  .  >. 

3  (H)  agree  to  comply  with  the  requirements 

4  of  title  I; 

5  (I)  facilitate  the  electronic  exchange  of  per- 

6  sonal  health  information  wdthin  the  local  or  re- 

7  gional  area  and  among  local  and  regional  areas; 

8  (J)  prepare  and  submit  to  the  Secretary  an 

9  application  in  accordance  with  paragraph  (3); 

10  (K)  agree  to  provide  matching  funds  in  ac- 

11  cordance  with  paragraph  (5);  and 

12  (L)  reduce  barriers  to  the  implementation 

13  of  health  information  technology  by  providers. 

14  (3)  Application. — 

15  (A)  In  generai.. — To  be  eligible  to  receive 

16  a  gi'ant  under  paragraph  (1),  an  entity  shall 

17  submit  to  the  Secretary  an  application  at  such 

18  time,  in  such  manner,  and  containing  such  in- 

19  formation  as  the  Secretary  may  require. 

20  (B)  Required  information. — ^At  a  min- 

21  imum,   an   application   submitted  under  this 

22  paragraph  shall  include — 

23  =  (i)  clearly  identified  short-term  and 

24  long-term  objectives  of  the  regional  or  local 

25  health  information  plan; 
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1  -  (ii)  a  teclmolog^'  plan  that  complies 

2  with  the  standards,  implementation  speci- 

3  fieations,  and  certification  criteria  adopted 

4  nnder  section  202(c)(6)  and  that  includes 

5  :  a  descriptive  and  reasoned  estimate  of 

6  ^  -  costs  of  the  hardware,  software,  training, 

7  and  consultmg  senices  necessaiy  to  imi3le- 

8  ment  the  regional  or  local  health  informa- 

9  tion  plan; 

10  (iii)  a  strategy  that  includes  initiatives 

11  to  unprove  health  care  quality  and  effi- 

12  ciency,  mcludhig  the  use  and  reporting  of 

13  health    care    quahty    measui^es  adopted 

14  under  section  221; 

15  (iv)  a  plan  that  describes  provisions  to 

16  encourage  the  unplementation  of  the  elec- 

17  tronic  exchange  of  personal  health  infor- 

18  mation  by  all  health  care  providers  partici- 

19  pating  in  the  health  information  plan; 

20  (v)  a  plan  to  ensuiT  the  privacy  and 

21  securits^  of  personal   health  information 

22  that  is  consistent  with  the  requirements  of 

23  -  title  I; 

24  ~  (vi)  a  governance  plan  that  defines 

25  the  mamier  m  which  the  stakeholders  shall 
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1  jointly  make  policy  and  operational  deci- 

2  sions  on  an  ongoing  basis;  ■? 

3  (vii)  a  financial  or  business  plan  that 

4  describes — 

5  (I)  the  sustain  ability  of  the  plan; 

6  (II)  the  financial  costs  and  bene- 

7  fits  of  the  plan;  and  ' 

8  (III)  the  entities  to  which  such 

9  costs  and  benefits  will  accrue;  ^ 

10  (viii)   a  description  of  whether  the 

11  State  in  which  the  entity  resides  has  re- 

12  ceived  a  grant  under  section  319D  of  the 

13  Public  Health  Service  Act,  alone  or  as  a 

14  part  of  a  consortium,  and  if  the  State  has 

15  received  such  a  grant,  how  the  entity  will 

16  coordinate  the  acti\ities  funded  under  such 

17  section  319D  with  the  system  under  this 

18  section;  and 

19  (ix)  in  the  case  of  an  applicant  entity 

20  that  is  unable  to  demonstrate  the  partici- 

21  ,       pation   of  all   stakeholders   pursuant  to 

22  paragi^aph  (2)(C),  the  justification  from 

23  the  entity  for  any  such  nonparticipation. 

24  (4)  Use  op  ptinds. — ^Amounts  received  under  a 

25  grant  under  paragraph  (1)  shall  be  used  to  establish 
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1  and  miplement  a  regional  or  local  health  information 

2  plan  m  accordance  with  tliis  subsection. 

3  (5)  ^Matching  REQurREMENT. — 

4  (A)  In  general. — The  Secret aiy  may  not 

5  make  a  grant  under  tliis  subsection  to  an  entity 

6  unless  the  entity  agrees  that,  with  respect  to 

7  '  the  costs  to  be  mcuiTed  by  the  entitv^  in  car- 

8  ^  rymg  out  the  network  program  for  which  the 

9  gi^ant  was  awarded,  the  entitA^  wih  make  ayail- 

10  able  (dh^ectly  or  tln^ough  donations  fi^om  public 

11  or  private  entities)  non-Federal  contributions 

12  toward  such  costs  in  an  amount  equal  to  not 

13  less  than  50  percent  of  such  costs  ($1  for  each 

14  $2  of  Federal  funds  pro^rded  mider  the  grant). 

15  (B)  Deteraiination  of  aj^iount  con- 

16  TRIBLTTED. — Non-Federal     contributions  re- 

17  quh^ed  under  subparagi^aph  (A)  may  be  m  cash 

18  or  m  kuid,  faMy  evaluated,  including  equip- 

19  ment,  teclmolog^^  or  sendees.  Ainomits  i3rorided 

20  by  the  Federal  Govermnent,  or  sendees  assisted 

21  or  subsidized  to  any  significant  extent  by  the 

22  Federal  Goverimient,  may  not  be  included  in 

23  determhiing  the  amount  of  such  non-Federal 

24  -       contributions.  ; 
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1  (6)  Health  record  bank  or  trust  de- 

2  FINED. — In  this  section,  the  term  "health  record 

3  bank  or  trust"  means  an  independent  organization 

4  that  provides  a  secure  electronic  repository  for  stor- 

5  ing  and  maintaining  an  individual's  lifetime  health 

6  and  medical  records  from  multiple  sources  and  en- 

7  suring  that  the  individual  always  has  complete  con- 

8  trol  over  who  accesses  their  information. 

9  (d)  Reports. — Not  later  than  1  year  after  the  date 


10  on  which  the  first  grant  is  awarded  under  this  section, 

1 1  and  annually  thereafter  during  the  grant  period,  an  entity 

12  that  receives  a  grant  under  this  section  shall  submit  to 

13  the  Secretaiy  a  report  on  the  activities  carried  out  under 

14  the  grant  involved.  Each  such  report  shall  include — 


15  (1)  a  description  of  the  financial  costs  and  ben- 

16  efits  of  the  project  involved  and  of  the  entities  to 

17  which  such  costs  and  benefits  accrue; 

18  (2)  an  analysis  of  the  impact  of  the  project  on 

19  health  care  quality  and  safety; 

20  (3)  a  description  of  any  reduction  in  duplicative 

21  or  unnecessary  care  as  a  result  of  the  project  in- 

22  volved;  and 

23  (4)  other  information  as  required  by  the  Sec- 

24  retary.  --. 

25  (e)  Authorization  OF  Appropriations. — 
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1  (li  Ix  GEXEPwVL. — Fi;ir  the  purpu.se  of  earning 

2  OUT  tMs  section,  there  is  antliorized  to  be  appro- 

3  priated   .Sl39.0(j0,(j00   for   fiscal  year   2009  and 

4  $139.000.U00  for  fiscal  year  2010. 

5  (2 1     AVAII^IBILITY, — ^Ainijiints  appropriated 

6  under  paragraph  1 1 1  shah  remain  available  through 

7  fiscal  year  2 U 12. 

8  sec.  212.  demoxsteation  pr0gra3i  to  dstegrate  ix- 

9  for:vl\tiox  techxology  esto  clesical 

10  educatiox. 

11  lai  Ix  Gexeeal. — The  Secretaiy  may  award  grants 


12  to  eligible  entities  or  consonia  tmder  tins  section  to  cany 

13  out  deniijnstratiLin  projects  to  develop  academic  ctirricula 

14  integrathig  qualified  health  information  technology  s;^-s- 

15  tenis  in  the  cluneal  education  of  health  professionals  or 

16  anah'ze  clinical  data  sets  to  chscover  qualir^'  meastu'es. 

17  Such  awards  shah  be  made  on  a  competitive  l3asis  and 

18  pursuant  to  peer  review. 


19  lb  I  EliCtIBILITI'. — To  be  ehgible  to  receive  a  grant 

20  under  stibsection  i  a  i.  an  entity  or  consortuim  shall — 

21  (li  subrrht  to  the  Secretaiy  an  applieatioii  at 

22  such  thue.  in  such  manner,  and  contaiiung  such  ui- 

23  formation  as  the  Secretaiy  may  reqiuiv: 

24  —       (2 )  be  or  include —    '  ' 

25  (Ai  a  health  professions  school; 
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1  (B)  a  school  of  nursing;  or  ' 

2  (C)  an  institution  with  a  graduate  medical 

3  education  program; 

4  (3)  provide  for  the  collection  of  data  regarding 

5  the  effectiveness  of  the  demonstration  project  to  be 

6  funded  under  the  grant  in  improving  the  safety  of 

7  patients  and  the  efficiency  of  health  care  delivery; 

8  and  ?  " 

9  (4)  provide  matching  funds  in  accordance  with 

10  subsection  (d). 

11  (c)  Use  OF  Funds. — 

12  (1)  In  generaIj. — ^With  respect  to  a  grant 

13  under  subsection  (a),  an  eligible  entity  or  consortium 

14  shall  use  amounts  received  under  the  grant  in  col- 

15  laboration  with  2  or  more  disciplines. 

16  (2)  Limitation. — ^An  eligil^le  entity  or  consor- 

17  tium  shall  not  award  a  grant  under  subsection  (a) 

18  to  purchase  hardware,  software,  or  services.    ^ - 

19  (d)  Matching  Funds. —  ' 

20  (1)  In  general. — The  Secretary  may  award  a 

21  grant  to  an  entity  under  or  consortium  this  section 

22  only  if  the  entity  of  consortium  agrees  to  make  avail- 

23  able  non-Federal  contributions  toward  the  costs  of 

24  the  program  to  be  funded  under  the  grant  in  an 
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1  amount  that  is  not  less  tlian  $1  for  each  $2  of  Fed- 

2  eral  funds  provided  under  the  grant . 

3  (2)    DETER]\riXATIOX    OF    .\]\IOUXT  COXTRIB- 

4  TTED. — Xon-Federal  contributions  under  paragraph 

5  (1)  may  be  m  cash  or  in  kind,  fairly  evaluated,  in- 

6  cludhig  eciuii3ment  or  senices.  Amomits  provided  by 

7  the  Federal  Govermuent,  or  senrces  assisted  or  sub- 

8  sidized  to  any  significant  extent  by  the  Federal  Gov- 

9  ermnent.  may  not  be  included  in  determining  the 

10  amomit  of  such  contributions. 

11  (e)  EvALiTATiox. — The  Secret aiy  shall  take  such  ac- 

12  tion  as  may  be  necessaiy  to  evaluate  the  projects  funded 

13  under  tliis  section  and  pubhsh,  make  available,  and  dis- 

14  seminate  the  results  of  such  evaluations  on  as  wide  a  basis 

15  as  is  practicable. 

16  (f)  Reports. — Not  later  than  1  year  after  the  date 

17  of  enactment  of  tliis  title,  and  ammaUy  thereafter,  the  Sec- 

18  retaiy  shaU  submit  to  the  Conunittee  on  Heahh.  Edu- 

19  cation,  Labor,  and  Pensions  and  the  Conunittee  on  Fi- 

20  nance  of  the  Senate,  and  the  Conunittee  on  Energy  and 

21  Conunerce  and  the  Conunittee  on  Ways  and  Means  of  the 

22  House  of  Representatives  a  report  that — 

23  (1)  describes  the  specific  projects  estabhshed 

24  under  tliis  section;  and 
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1  (2)    eontaiiis   reconiniendations   for  Congress 

2  based  on  the  evaluation  conducted  under  subsection 

3  (e). 

4  (g)  Authorization  of  Appropriations. — There  is 

5  authorized  to  be  appropriated  to  carry  out  this  section, 

6  $2,000,000  for  each  of  fiscal  years  2009  and  2010. 

7  (h)  Sunset. — This  pro\dsions  of  this  section  sliall  not 

8  ai)ply  after  September  30,  2012. 

9  SEC.  213.  QUALIFIED  HEALTH  INFORMATION  TECHNOLOGY 

10  SYSTEM  DEFINED. 

11  In  this  subtitle,  the  term  "qualified  health  informa- 

12  tion  technology  system"  means  a  computerized  system  (in- 

13  eluding  hardware  and  software)  that — 

14  (1)  safeguards  the  privacy,  security,  and  con- 

15  fidentiality  of  personal  health  information  in  accord- 

16  ance  with  the  requirements  of  title  I; 

17  (2)  maintains  and  pro^ddes  permitted  access  to 

18  health  information  in  an  electronic  format; 

19  (3)  mtli  respect  to  personal  health  information 

20  maintained  in  a  designated  record  set,  presei-ves  an 

21  audit  trail  of  each  indi^ddual  that  has  gained  access 

22  to  such  record  set; 

23  (4)   incorporates   decision   support  to  reduce 

24  medical  errors  and  enliance  health  care  quality; 


•HR  5442  IH 


151 

'  5  I  complies  v^ith  the  standards  adcipted  by  the 
Federal  Government  under  seetiijri  202; 

I  6  I  has  the  ability-  t':i  transmit  and  exehang-e  in- 
f(:irmatii:iri  trj  other  health  niforniation  technology 
systems  and.  to  the  extent  feasible,  public  health  in- 
fonnation  technology  systems:  and 

(7 1  allows  for  the  reponhig  of  Citialit^-  meastires 
adopted  under  section  221. 

Subtitle  C — Improving  the  Quality 
of  Health  Care 

SEC.  221.  FOSTERESG  DE\TLOPMENT  .\XD  USE  OF  HEALTH 
CARE  QUALITY  MEASURES. 

(a)  Ix  Gexeeal. — The  Secretaiy  shaU  provide  for 
the  development  and  rise  of  health  care  qtiahtA-  meastu-es 
irefeiTcd  to  m  this  title  as  "citiahtA-  meastu'es'b  for  the 
piupose  of  measmdng  the  qiiahty  and  efficiency  of  health 
care  that  patients  receive.  - 

dii  Desigxatiox  of.  axd  Akraxgemext  With. 

ORLtAXTZATIOX. — 

'li  Ix  i;tEXt:ral. — Xot  later  than  90  days  after 
the  date  of  enactment  of  this  title,  the  Secretaiy 
shaU  designate,  and  ha^-e  in  effect  an  arrangement 
-with,  a  smgle  organization  that  meets  the  rec[iiu'e- 
ments  of  siibsectiori  <  c  i  imder  which  siicli  ijrgaiiiza- 
tion  shah  promote  the  development  of  quality-  meas- 
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1  ures  and  provide  the  Secretary  with  advice  and  rec- 

2  ommendations  on  the  key  elements  and  priorities  of 

3  a  national  system  for  healthcare  performance  meas- 

4  urement. 

5  (2)  Responsibilities. — The  responsibilities  to 

6  be  performed  by  the  organization  designated  under 

7  paragraph  (1)  (in  this  title  referred  to  as  the  "des- 

8  ignated  organization")  shall  include — 

9  (A)  establishing  and  managing  an  inte- 

10  gi'ated  national  strategy  and  process  for  setting 

11  priorities   and   goals   in   establishing  quality 

12  measures; 

13  (B)  coordinating  and  harmonizing  the  de- 

14  velopment  and  testing  of  such  measures; 

15  (C)  establishing  standards  for  the  develop- 

16  ment  and  testing  of  such  measures; 

17  (D)  endorsing  national  consensus  quality 

18  measures; 

19  (E)  recommending,  in  collaboration  with 

20  multi-stakeholder  groups,  quality  measures  to 

21  the  Secretaiy  for  adoption  and  use; 

22  (F)  promoting  the  development  and  use  of 

23  electronic    health    records    that    contain  the 

24  functionality  for  automated  collection,  aggrega- 
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1  tion.  and  transmission  of  performance  measure- 

2  ment  infjrmation:  and 

3  iGi  providing'  recommendations  and  advice 

4  to  the  Paitnersliip  for  Health  I' are  Impr(jA-e- 

5  ment  regarchiig  the  integration  of  qtialitA'  meas- 

6  ures    into    the    ceitificatujn   process  otitlined 

7  under  section  202  and  the  American  Health  In- 

8  formation  C'ommituutA-  regarding  national  poli- 

9  cies  outlined  tmder  section  203. 

10  ic)  Requireaiexts  Described. — The  reqtm^ements 

1 1  described  in  this  subsection  are  the  folloi^ing: 

12  ill  Prr'ate  entity. — The  organization  shaU 

13  be  a  pri\'ate  nonprofit  entity  that  is  goA'erned  by  a 

14  board  of  chrectors  and  an  individual  who  is  des- 

15  igiiated  as  president  and  clhef  executive  officer. 

16  (2)  Board  aieaibership. — The  members  of  the 

17  board  of  chrectors  of  the  entity  shaU  include  rep- 

18  resentatives  of^ — 

19  (A)  health  care  providers  or  groups  rep- 

20  resentmg  providers:  - 

21  -•  -  'Bi  ht-alth  plans  or  groups  representing 

22  health  plans: 

23  I C )  patients  or  consumers  enroUed  in  such 

24  plans  or  groups  representuig  inchviduals  en- 

25  roUed  m  such  plans: 
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1  (D)  health  care  purchasers  and  employers 

2  or  groups  representing  purchasers  or  employers; 

3  and 

4  (E)  organizations  that  develop  health  in- 

5  formation  technology  standards  and  new  health 

6  information  technology. 

7  (3)   Other  membership  requirements. — 

8  The  membership  of  the  board  of  directors  of  the  en- 

9  tity  shall  be  representative  of  individuals  with  expe- 

10  rience  with — 

1 1  (A)  urban  health  care  issues; 

12  (B)  safety  net  health  care  issues; 

13  (C)  rural  or  frontier  health  care  issues; 

14  (D)  quality  and  safety  issues;  -  ■ 

15  (E)  State  or  local  health  programs; 

16  (F)  individuals  or  entities  skilled  in  the 

17  conduct  and  interpretation  of  biomedical,  health 

18  sei-vices,  and  health  economics  research  and 

19  with  exi^ertise  in  outcomes  and  effectiveness  re- 

20  search  and  technology  assessment; 

21  (G)  individuals  or  entities  involved  in  the 

22  development  and  establishment  of  standards 

23  and  certification  for  health  information  tech- 

24  nology  systems  and  clinical  data;  and 
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1  iH)  meml}ers  of  the  medical  and  mental 

2  health  professions  with  exi)eitise  in  standards 

3  of  professional  etliics. 

4  (4)  (JPEX  .\XD  TiL\xsp,\iiEXT. — respect  to 

5  matters  related  to  the  arrangement  with  the  Sec- 

6  retaiy  nnder   stibsection   (aid),   the  organization 

7  shall  condnct  its  linsiness  in  an  open  and  trans- 

8  parent  manner,  and  provide  the  oppoitunity  for  pnb- 

9  lie  conunent  and  ensnre  a  balance  among  disparate 

10  stakeholders,  so  that  no  member  organization  unduly 

11  uifltiences  the  work  of  the  organization. 

12  (5)  VOLUXTARY  COXSEXsrs  ST.\XT3APvDS  SET- 

13  TIX'G  ORGAXIZATIOXS. — The  orgaihzation  shah  oper- 

14  ate  as  a  vohintaiy  consensns  standards  setting  orga- 

15  nization  as  defined  for  purposes  of  section  12(d)  of 

16  the  National  Technolog'A'  Transfer  and  Advancement 

17  Act  of  1995  iPubhc  Law  104-113 1  and  Office  of 

18  ^Management  and  Budget  Revised  Circular  A-119 

19  tpubhslied  in  the  Federal  Register  on  Febmaiy  10. 

20  1998). 

21  (6)   P.VRTICIPATIOX. — If  the  organization  re- 

22  quires  a  fee  for  membership,  the  organization  shall 

23  ensure  that  such  fee  is  not  a  substantial  liarrier  to 

24  participation  in  the  entity's  activities  related  to  the 

25  aiTangement  with  the  Secretary. 


•HE  5442  m 


156 

1  (d)  Requirements  p^or  Measures. — The  quality 

2  measures  developed  under  this  title  shall  comply  with  the 

3  follomng":  - 

4  (1)  Measures. — The  designated  organization, 

5  in  promoting  the  development  of  quality  measures 

6  under  this  title,  shall  ensure  that  such  measures — 

7  (A)  are  e\ddence-based,  reliable,  and  valid; 

8  (B)  include— 

9  (i)  measures  of  clinical  processes  and 

10  outcomes,   patient   exj^erience,  efficiency, 

11  and  equity;  and 

12  (ii)  measures  to  assess  effectiveness, 

13  timeliness,   patient  self-management,  pa- 

14  tient  centeredness,  and  safety;  and 

15  (C)   include  measures  of  underuse  and 

16  overuse. 

17  (2)  Priorities. — In  carrying  out  its  respon- 

18  sibilities  under  this  section,  the  designated  organiza- 

19  tion  shall  ensure  that  priority  is  given  to — 

20  (A)  measures  that  presei've  access  to  qual- 

21  ity  health  care  by  protecting  the  privacy  and  se- 

22  curity  of  personal  health  information; 

23  (B)  measures  with  the  greatest  i)otential 

24  impact  for  improving  the  performance  and  effi- 

25  ciency  of  care; 


•HR  5442  IH 


157 

1  (C)  measures  that  may  l)e  rapidly  imple- 

2  mented  by  gToup  health  plans,  health  insm'aiiee 

3  issuers,  physicians,  hospitals,  nursing  homes, 

4  long-term  care  providers,  and  other  providers; 

5  (D)  measures  which  may  inform  health 

6  care  decisions  made  by  consumers  and  patients; 

7  (E)  measures  that  apply  to  nmltiple  sen'- 

8  ices  fiu'uished  by  different  providers  during  an 

9  episode  of  care; 

10  (F)  measures  that  can  be  integrated  into 

11  certification  process  described  in  section  202; 

12  and 

13  (G)  measures  that  may  be  integrated  into 

14  the  decision  support  function  of  ciualified  health 

15  information  technology  as  defined  by  this  title. 

16  (3)  Risk  adji^stment. — The  designated  orga- 

17  nization,  in  consultation  vdtli  performance  measure 

18  developers  and  other  stakeholders,  shall  estabhsh 

19  procedures  to  ensure  that  quality  measures  take  into 

20  account  cUfferences  in  patient  health  status,  patient 

21  characteristics,  and  geogTaplhc  location,  as  appro- 

22  priate. 

23  (4)  :\Lajnte NANCE. — The  designated  organiza- 

24  tion,  in  consultation  \Yit\i  omiers  and  developers  of 

25  quahty  measiu-es,  shall  rec^uire  the  owners  or  clevel- 
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1  opers  of  quality  measures  to  update  and  enhance 

2  such  measures,  inchiding  the  development  of  more 

3  accurate  and  precise  specifications,  and  retire  exist- 

4  ing  outdated  measures.  Such  updating  shall  occur 

5  not  more  often  than  once  during  each  12 -month  pe- 

6  riod,  except  in  the  case  of  emergency  circumstances 

7  requiring  a  more  immediate  update  to  a  measure. 

8  (e)  Grants  for  Perfor]vl\nc!e  Measure  De\^l- 

9  OPMENT. — The  Secretaiy,  acting  through  the  Agency  for 

10  Healthcare  Research  and  Quality,  may  award  grants,  in 

11  amounts  not  to  exceed  $50,000  each,  to  organizations  to 

12  sui)port  the  development  and  testing  of  quality  measures 

13  that  meet  the  standards  established  by  the  designated  or- 

14  ganization. 

15  SEC.  222.  ADOPTION  AND  USE  OF  QUALITY  MEASURES;  RE- 

16  PORTING. 

17  (a)  In  Generaj.. — For  purposes  of  carrying  out  ac- 

18  tivities  authorized  or  required  by  this  title  to  ensure  the 

19  use  of  quality  measures  and  to  foster  uniformity  between 

20  health  care  quality  measures  utilized  by  private  entities, 

21  the  Secretaiy  shall — 

22  (1)  select  quality  measures  for  adoption  and 

23  use,  from  quality  measures  recommended  by  multi- 

24  stakeholder  groups  and  endorsed  by  the  designated 

25  organization;  and 
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1  (2)  ensure  that  standards  adopted  under  see- 

2  tion  301  integrate  the  quahty  measures  endorsed. 

3  adopted,  and  utihzed  under  this  section. 

4  (b)  Relatioxship  With  Pro(;k\3is  Under  the 

5  SOCLIL  Security  Ait. — The  Seeretaiy  shall  ensure  that 

6  the  quahty  measures  adopted  under  this  section — 

7  (1)  complement  quality  measures  developed  by 

8  the  Seeretaiy  under  programs  adnunistered  by  the 

9  Seeretaiy  under  the  Social  Security  Act.  including 

10  programs  mider  titles  X\i;il.  XIX.  and  XXL  of  such 

11  Act:  and 

12  (2)  do  not  contdict  the  needs  and  priorities 

13  of  the  programs  under  titles  X\HI.  XIX.  and  XXI 

14  of  such  Act.  as  set  forth  by  the  Administrator  of  the 

15  Centers  for  ]\Iechcare  &  Mechcaid  Sendees. 

16  (c)  Reporting. — The  Seeretaiy  shah  implement  pro- 

17  cedures.  consistent  generally  accepted  standards,  to 

18  enable  the  Department  of  Health  and  Human  Sendees  to 

19  accept  the  electronic  submission  of  data  for  purposes  of 

20  performance  measurement,  including  at  the  provider  le^'el. 

21  using  the  quality  measures  developed,   endorsed,  and 

22  adopted  pursuant  to  this  title. 

23  (d)  DisSEMiXATiOX  (3F  IxFOR-AL\Tir)X. — In  order  to 

24  make  comparative  performance  information  available  to 

25  health  care  consumers,  health  professionals,  pubhc  health 
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1  officials,  oversight  organizations,  researchers,  and  other 

2  appropriate  individuals  and  entities,  after  consultation 

3  with  multi-stakeholder  g:roups,  the  Secretary  shall  promul- 

4  gate  regxilations  to  provide  for  the  dissemination,  aggrega- 

5  tion,  and  analysis  of  quality  measures  collected  pursuant 

6  to  this  title.  r 

7  Subtitle  D— Miscellaneous 

8  Provisions 

9  SEC.  231.  HEALTH  INFORMATION  TECHNOLOGY  RESOURCE 

10  CENTER. 

11  Section  914  of  the  Public  Health  Service  Act  (42 

12  U.S.C.  299b-3)  is  amended  by  adding  at  the  end  the  fol- 

1 3  lowing: 

14  "(d)   HEiU/rH  Information  Technology  Re- 

15  source  Center. — 

16  "(1)    In    generaIj. — The    Secretary,  acting 

17  through  the  Director,  shall  develop  a  Health  Infor- 

18  mation  Technology  Resource  Center  (referred  to  in 

19  this  subsection  as  the  'Center')  to  provide  technical 

20  assistance  and  develop  best  practices  to  support  and 

21  accelerate  efforts  to  adopt,  implement,  and  effec- 

22  tively  use  interoperable  health  information  tech- 

23  nology  in  compliance  with  sections  202  and  221  of 

24  the  TRUST  in  Health  Information  Act  of  2008. 
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1  "(2)  Purposes. — The  purposes  of  the  Center 

2  are  to —  . 

3  "(A)  provide  a  forum  for  the  exchange  of 

4  knowledge  and  experience; 

5  "(B)   accelerate  the  transfer  of  lessons 

6  learned  from  existing  public  and  private  sector 

7  initiatives,  including  those  currently  recei\ing 

8  Federal  financial  support; 

9  "(C)  assemble,  analyze,  and  mdely  dis- 

10  seminate  e\idence  and  experience  related  to  the 

11  adoption,  implementation,  and  effective  use  of 

12  interoperable  health  information  technology; 

13  "(D)  pro\dde  for  the  estabhshment  of  re- 

14  gional  and  local  health  information  networks  to 

15  facilitate  the  development  of  interoperability 

16  across  health  care  settings  and  improve  the 

17  quality  of  health  care; 

18  "(E)  provide  for  the  development  of  solu- 

19  tions  to  barriers  to  the  exchange  of  electronic 

20  health  information;  and 

21  "(F)  conduct  other  activities  identified  by 

22  the  States,  local,  or  regional  health  information 

23  netw^orks,  or  health  care  stakeholders  as  a  focus 

24  -     for  developing  and  sharmg  best  practices. 
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1  "(3)  Support  for  ACTmTiES. — To  provide 

2  support  for  the  activities  of  the  Center,  the  Director 

3  shah  modify  the  requirements,  if  necessary,  that 

4  apply  to  the  National  Resource  Center  for  Health 

5  Information  Technology  to  provide  the  necessary  in- 

6  frastructure  to  support  the  duties  and  activities  of 

7  the   Center   and   facilitate   information  exchange 

8  across  the  public  and  private  sectors. 

9  "(4)   Rule  of  construction. — Nothing-  in 

10  this  subsection  shall  be  construed  to  require  the  du- 

1 1  plication  of  Federal  efforts  with  respect  to  the  estab- 

12  lishment  of  the  Center,  regardless  of  whether  such 

13  efforts  were  carried  out  prior  to  or  after  the  enact- 

14  ment  of  this  subsection. 

15  "(e)  Authorization  of  Appropriations. — There 

16  is  authorized  to  be  appropriated,  such  sums  as  may  be 

17  necessary  for  each  of  fiscal  years  2009  and  2010  to  carry 

1 8  out  this  section . " . 

19  SEC.  232.  FACILITATING  THE  PROVISION  OF  TELEHEALTH 

20  SERVICES  ACROSS  STATE  LINES. 

21  Section  330L  of  the  Pubhc  Health  Sei-vice  Act  (42 

22  U.S.C.  254c-18)  is  amended  to  read  as  follows: 
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1  "SEC.  330L.  TELEIMEDICEVE:  EsXENTRT  GRANTS  REGARD- 

2  TSG  COORDINATION'  A3I0NG  STATES. 

3  "(a)   Facilitatixg   the   Proatsiox   of  Tele- 

4  HEALTH  Seeatces  ACROSS  State  Lixes. — The  Sec- 

5  retaiy  may  make  gi'ants  to  States  that  have  adopted  re- 

6  gional  State  reeiprocm-  agi^eemeiits  for  practitioner  hceii- 

7  sm-e.  in  order  to  exj^edite  the  provision  of  teleheahh  seix- 

8  ices  across  State  hues. 

9  ■  ■  ( b  I  ArTHORIZATIOX  OF  APPROPRLITIOXS . — For  the 

10  pmi30se  of  cari^ino:  out  subsection  (a),  there  are  author- 

11  ized  to  be  appropriated  such  sums  as  may  be  necessaiy 

12  for  each  of  the  fiscal  years  2009  and  2010.". 

13  Subtitle  E — ^Definitions 

14  SEC.  241.  DEFINTnONS. 

15  In  this  title,  the  following  terms,  defined  m  section 

16  171.  have  the  meanings  given  such  terms  in  such  section: 

17  Breach  ,  confidentiaht\\  de-identified  heahh  uiformation, 

18  disclose.  Duector  of  the  Office  of  Health  Information  Pri- 

19  vacy.  employer,  health  care,  health  care  provider.  Office 

20  of  Health  Information  Privacy,  privacy,  personal  health 

21  hiformation,  Secretaiy,  secmlt^^  State,  and  use. 

22  TITLE  III— ADDITIONAL 

23  PROVISIONS 

24  SEC.  301.  FEDERAL  PURCHASING  AND  DATA  COLLECTION 

25  BY  CMS  ANT)  OTHER  FEDERAL  AGENCIES. 

26  (a)  COORDIXATIOX  OF  FEDERAL  SpEXTDIXG. — 
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1  (1)  In  general. — Not  later  than  1  year  after 

2  the  adoption  by  the  President  of  a  recommendation 

3  under  section  202(c)(6),  the  Administrator  of  the 

4  Center  for  Medicare  &  Medicaid  Sei-vices  and  the 

5  head  of  any  other  Federal  agency  shall  not  expend 

6  Federal  funds  for  the  purchase  of  any  new  health  in- 

7  formation  technolog;\^  or  health  information  tech- 

8  nology  system  for  clinical  care  or  for  the  electronic 

9  retrieval,  storage,  or  exchange  of  personal  health  in- 

10  formation  if  such  technology  or  system  is  not  con- 

11  sistent  mth  applicable  standards  adopted  by  the 

12  Federal  Government  under  section  202. 

13  (2)   Rule   of   construction. — Nothing  in 

14  paragraph  (1)  shall  be  construed  to  restrict  the  pur- 

15  chase  of  minor  (as  determined  by  the  Secretary) 

16  hardware  or  software  components  in  order  to  mod- 

17  ify,  correct  a  deficiency  in,  or  extend  the  life  of  exist- 

18  ing  hardware  or  software. 

19  (b)  Voluntary  Adoption. — 

20  (1)  In  GENERAIj. — ^Any  standards  and  imple- 

21  mentation  specifications   adopted  by  the  Federal 

22  Government  under  section  202(c)  shall  be  voluntary 

23  mtli  respect  to  private  entities. 

24  (2)  Requirement. — Private  entities  that  enter 

25  into  a  contract  with  the  Federal  Government  shall 
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1  adcipt  the  standards  and  implementaTion  specifiea- 

2  tions  adopted  by  the  Ff  deral  (T.jvermnent  under  this 

3  section  for  tlie  piu^^ose  of  activities  tmder  such  Fed- 

4  eral  contract. 

5  1 3  I  Rule  (jf  <  jjvsTEUCTiox. — Xotlhng-  in  this 

6  section  sliaU  be  constnied  to  reqiiu^e  tliat  a  private 

7  entit\-  that  enters  mto  a  contract  v^ith  the  Federal 

8  Government  adopt  the  standards  and  implementa- 

9  tion  specifications  adopted  hy  the  Federal  G-overn- 

10  ment  under  this  section  vdth  respect  to  activities  not 

11  related  to  the  contract.  ■   "  - 

12  (c)  Cooedlxatkjx  mf  Fedep^il  Data  Colleo- 

13  TluX. — Xut  later  than  3  years  after  the  adoption  by  the 

14  Federal  GoveiTanent  of  a  reconmiendation  as  provided  f  jr 

15  in  section  202ic).  aU  Federal  agencies  ( mchirliiig-  the  Cen- 

16  ter  for  ^Ifihcare      ^ledicaid  Senict^si  cijllecting  health 

17  data  m  an  electronic  format  for  tli^^  jjiuposes  of  qiialitv- 

18  reponmg.  stu^'eihance.  epidemiology,  adverse  event  repoit- 

19  ing.  research.  i;>r  tVir  other  piu'poses  determined  appro- 

20  priate  by  the  Secretaiy.  shah  comply  vith  the  standards 

21  and  implementation  specifications  adopted  mider  such 

22  subsection. 
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1  SEC.  302.  ENSURING  HEALTH  CARE  PROVIDERS  PARTICI- 

2  FATING  IN  THE  MEDICARE  PROGRAM  MAY 

3  MAINTAIN  HEALTH  INFORMATION  IN  ELEC- 

4  TRONIC  FORM. 

5  Section  1871  of  the  Social  Security  Act  (42  U.S.C. 

6  1395hh)  is  amended  by  adding  at  the  end  the  following 

7  new  subsection: 

8  "(g)(1)  Any  pro^dder  of  sei'vices  or  supplier  shall  be 

9  deemed  as  meeting  any  requirement  for  the  maintenance 

10  of  data  in  paper  form  under  this  title  (whether  or  not  for 

11  purposes  of  management,  billing,  reporting,  reimburse- 

12  ment,  or  othei-wise)  if  the  required  data  is  maintained  in 

13  an  electronic  form. 

14  "(2)  Nothing  hi  this  subsection  shall  be  constmed  as 

1 5  requiring  health  care  providers  to  maintain  or  submit  data 

16  in  electronic  form.". 
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